NTLM hashing is a technique used to authenticate a user’s password to a Windows service. This method uses the hash of the password rather than the plain text of the password to authenticate a user with the service. It works by starting a new logon session with a fake identity and then replacing the session information with the domain, username, and NTLM hash provided during the login process.

It should be noted that this modification process involves patching LSASS memory and patching the LSASS memory requires the use of local admin privileges, and it may not always be possible to do this if Protected Process Light (PPL) is enabled.

In general, it is possible to execute Mimikatz in the background of Beacon using the dedicated pth command.

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.

Let’s test in our Lab 🙂 using Atomic Red Team tools:

• Atomic Test #1 — Mimikatz Pass the Hash
• Atomic Test #2 — crackmapexec Pass the Hash
• Atomic Test #3 — Invoke-WMIExec Pass the Hash

To study more on how to dump Hashes please check this amazing: https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth

As we can see from the above snippet, we can see the commands and how they were executed. When the commands are successfully executed, we can conduct a threat hunt in SIEM to detect the events.

Additional Info:

Sysmon will record the process creation event for cmd.exe including the command line arguments \\\\.\\pipe\\16ca6d. This unusual pattern can be searched for in Kibana:

A successful pass-the-hash operation will also generate event 4624, which has the login type 9 as its logon. The executing user’s Logon ID is recorded in this event, so we can cross-reference this event with the event that recorded the process creation.

event.code: 4624 and winlog.logon.type: 9

The TargetUserName and TargetOutboundUserName tells us that NT AUTHORITY\SYSTEM has impersonated Harryp.

To avoid the \\\\.\\pipe\\ indicator, we can execute Mimikatz manually and specify our own process.

beacon> mimikatz sekurlsa::pth /user:Harryp /domain:dev.Marvel.localo /ntlm:4ffd3eabdce2e158d923ddec72de979e
user    : Harryp
domain    : dev.Marvel.local
program    : cmd.exe
impers.    : no
NTLM    : 4ffd3eabdce2e158d923ddec72de979e
  |  PID  6284
  |  TID  6288
  |  LSA Process is now R/W
  |  LUID 0 ; 3540226 (00000000:00360502)
  \\_ msv1-0   - data copy @ 0000024DC0DAD550 : OK !
  ....etc.

If no /run parameter is specified, then cmd.exe is started. However, this can actually cause the process window to appear on the user’s desktop. This is less of a concern if you’re running as SYSTEM without any desktop session associated with it but has obvious implications otherwise.

Detect Process executions in SIEM:

Create a query to detect and trigger alerts

Alert Notification

Reference:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md

https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth

https://www.beyondtrust.com/resources/glossary/pass-the-hash-pth-attack

https://attack.mitre.org/techniques/T1550/002/

I appreciate you reading this blog. If you think it has been valuable, please give it a thumbs up. If you enjoy it, share with your friends and other members of your community. Stay tuned for the next blog!