Pass-The-Hash: Gaining Root Access to Your Network. June 24, 2014. Tim Slaybaugh. Cyber Incident Analyst Northrop Grumman Information Systems. What is Pass-The-Hash?.
June 24, 2014
Cyber Incident Analyst
Northrop Grumman Information Systems
“Attackers using PtH completely compromise just about every network they hit. Pretty much every APT attack team uses them.”
– Roger Grimes, InfoWorld
PWDump runs from the command line and dumps LM and NTLM hashes from the local SAM hive.
PWDump with dependency, libeay32.dll in $LogFile
PWDump in AV signature database
Keywords used to identify PWDump activity:
Unlike most PTH tools, Mimikatz will run from the root of Windows.
Mimikatz hooks the System Service Descriptor Table (SSDT) similar to rootkit activity.
Looking at mimikatz.exe using Volatility plugin ‘handles’
Runs from across the network via PSEXECSVC
‘Handles’ will also identify this hook into the Local Security Authority Subsystem Service (lsass.exe).
Mimikatz.exe and conhost.exe start up at the same time indicating that mimikatz is likely being controlled through an interactive console.
Console activity can be recovered from memory.
Mimikatz is logged in the Windows power configuration file, ‘energy-ntkl.etl’.
Keywords used to identify Mimikatz activity:
Keywords used to identify gsecdump activity:
Iam.dll requires a dependent library, iamdll.dll
Strings extracted from the iamdll.dll indicate that it is capable of changing NTLM credentials.
Indicators of the PSH Toolkit can be found in several Windows metadata files like $LogFile seen above.
Keywords used to identify PSH Toolkit activity:
Library called by WCE.exe
Windows Time Stamp
Wceaux.dll is dropped in the user’s AppData\Local\Temp directory.
BootCKCL.etl located at %System32%\WDI\LogFiles generates a boot trace each time a profile logs on. WCE.EXE shows up if it is set for persistence.
Windows Credential Editor set for persistence with the –r switch.
WCE injects into the lsass.exe process every five seconds to dump user credentials.
Keywords used to identify WCE.EXE activity:
Scenarios for Pass-The-Hash:
Grep for hashes in memory also!
Call stack of a server side RPC call. This connection was initiated from a remote system.
Data was recovered from ‘pagefile.sys’.
Remote connection from mimikatz.exe via named pipe
Security = Impersonation Dynamic False – User has full privileges
pipe\svcctl – access to all processes running
The lsarpc interface is used to communicate with the Local Security Authority
Output from the Volatility plugin, ‘handles’ give clear indication of mimikatz being executed across the network via a PSEXESVC named pipe.
Require SMB Security Signatures
Windows Credential Editor connects using a named pipe for its own proprietary service.
Connections can often be correlated through local system event logs
Access to the share with System level privileges
Access to all services running on the system