Pass the Hash is a technique in which an attacker authenticates as a user using their password hash, instead of having to obtain their plaintext password. This attack abuses the NTLM authentication protocol and can be used against both regular and privileged accounts to enable adversaries to move laterally and escalate their privileges. This attack is hard to detect, so it is vital to limit the ability of adversaries to compromise the password hashes required to execute the attack in the first place — especially the hashes of administrative accounts.
One of the best ways to reduce the value of compromised password hashes is to minimize the number of accounts with elevated rights. Use Netwrix Access Analyzer to regularly check which users have administrative rights on workstations through either direct or nested group membership and promptly remove unnecessary members.
Reduce administrative rights in accordance with the least-privilege principle:
See how you can mitigate the risk of Pass the Hash attacks in 3 steps:
1.
Restrict logon rights for privileged accounts
To make it harder for adversaries to acquire the password hashes of highly privileged accounts, restrict those accounts from logging on to workstations. Netwrix Enterprise Auditor provides easy-to-read reports on the logon restrictions enforced through user rights assignments (e.g. Allow Log On Through Remote Desktop Services) and the logon policies that can restrict local accounts.
2.
Monitor for suspicious use of PowerShell and other tools:
PowerShell and tools like Mimikatz are often used for the credential extraction required to execute Pass the Hash. Use Netwrix Access Analyzer to promptly identify suspicious use of these powerful tools.
3.
Learn how to reduce the likelihood of Pass the Hash and other attacks with Netwrix Access Analyzer
We never share your data. Privacy Policy