In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective   

This article explains how to use ADAudit Plus to detect a pass-the-hash (PTH) attack, understand the immediate remediation steps required, and implement long-term prevention strategies.

 Prerequisites   

• You must have administrator access to the ADAudit Plus web console.

• The required audit policies to generate Event ID 4624 (An account was successfully logged on) must be enabled on the relevant servers and workstations.

 Steps to follow   

The process for handling a Pass-the-Hash attack involves detection, immediate remediation, and prevention.

 Step 1: Detecting the attack   

1. Navigate to the Active Directory Tab > Attack Surface Analyzer > Threats > Pass the Hash.

2. This report shows all detections related to a possible PTH attack.

 Step 2: Understanding the detection criteria   

ADAudit Plus detects a potential PTH attack based on the following logic:

• Description: An attacker tries to authenticate by using an NTLM hash without knowing the account's plaintext password.

• Logic 1:

• Event code equals 4624

• Logon Process equals seclogo

• Logon Type equals 9

• Account Name does not end with $

• Subject Account Name does not end with $

• Logic 2:

• All conditions from Logic 1 are met

• Followed by, within 60 seconds:

• Event code equals 10

• TargetImage contains lsass

 Step 3: Immediate remediation   

If an active attack is detected, you must act immediately to contain the breach.

1. Isolate the machines: Identify the source and destination machines from the event log. Isolate both machines from the network immediately to prevent lateral movement.

2. Reset compromised account password: Force a password reset for the user account whose hash was stolen. This will invalidate the hash for future NTLM authentications.

3. Investigate and hunt: Check the destination server for any further suspicious activity performed by the compromised account, such as accessing other systems, creating scheduled tasks, or attempting to dump more credentials.

4. Scan for malware: Investigate the source machine to understand how the initial credential theft occurred. Scan for malware or credential dumping tools like Mimikatz.

 Validation and confirmation   

• After remediation, monitor the Pass the Hash report in ADAudit Plus to ensure no new attacks are detected from the isolated systems.

• Confirm that the compromised user account can no longer access resources with the old, stolen hash.

 Tips   

The following best practices can help prevent PTH attacks.

 Principle of least privilege (PoLP)   

• Restrict local administrator rights: Standard users should not have local administrator privileges on their workstations. An attacker who compromises a standard user account cannot easily dump hashes from memory without admin rights.

 Secure privileged accounts   

• Use a tiered access model: Prevent privileged accounts (like Domain Admins) from logging into lower-tier systems like workstations, where their hashes are more likely to be stolen and reused.

• Implement privileged access management (PAM): Use PAM solutions to provide just-in-time (JIT) and just-enough access, eliminating standing privileges.

 Harden endpoints and servers   

• Enable credential guard: Use Windows Defender Credential Guard to protect NTLM password hashes and other secrets in memory, making them significantly harder for tools to steal.

• Restrict NTLM: Where possible, configure policies to restrict or disable the use of NTLM authentication in favor of the more secure Kerberos protocol.

• Keep systems patched: Regularly update operating systems and applications to prevent initial exploitation that could lead to credential theft.

 Network segmentation   

• Segment the network: Limit lateral movement by segmenting the network. An attacker with a hash stolen from a workstation in one segment should be prevented from accessing critical servers in another.

 Related topics and articles   

• [To be added]