BIPI
BIPI

Pass-the-Hash in 2024: Why Rotating KRBTGT Doesn't Save You

Cybersecurity

Pass-the-Hash still works against most enterprises because the defense is architectural, not a single setting. We cover the modern PtH playbook and the tiered identity model that closes it.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 14, 2024 · 8 min read

#pass-the-hash#credential-theft#active-directory#detection

Pass-the-Hash is older than the engineers running most SOCs today, but it is still in 80% of the breach reports we read. The reason is not that defenders do not know about it. The reason is that the only durable defense is a tiered admin model, and most environments have spent fifteen years building helpdesk accounts that can RDP to domain controllers.

How attackers move with hashes

Once an attacker has SYSTEM on a single workstation that a privileged admin has logged into, the NTLM hashes of every cached credential are in LSASS. From there, the hash is enough to authenticate over SMB, WinRM, or WMI to anywhere that account has rights.

  • Mimikatz sekurlsa::logonpasswords dumps cached credentials. On modern systems, Credential Guard blocks this if it is enabled, which it usually is not.
  • secretsdump.py -hashes :ntlmhash administrator@target pulls SAM and LSA secrets remotely, including the local administrator hash that is often shared across the fleet.
  • NetExec smb 10.10.10.0/24 -u admin -H ntlmhash --shares sprays a hash across the network to find every host where it works. The output usually includes a domain controller.
  • BloodHound paths from the compromised account to high-value targets show which hash to grab next. We typically work upward through HasSession edges to a Domain Admin.

The most common mistake is treating PtH as a workstation problem. The actual problem is that helpdesk accounts can log into both workstations and servers, so a hash captured on a user laptop is the same hash that opens the file server.

What defenders see

Lateral movement with stolen hashes leaves a distinctive signature in the logon events on the target machine.

  • 4624 LogonType=3 with AuthenticationPackage=NTLM and a Workstation Name field that contains attacker tooling fingerprints (kali, impacket workstation names) or simply does not match the source IP's hostname.
  • 4624 LogonType=9 (NewCredentials) is the classic over-pass-the-hash signature. Normal users do not generate type 9 logons.
  • 4672 special privileges assigned to the same account from multiple distinct source IPs in a short window suggests the credential is being sprayed.
  • Sysmon Event ID 10 with a TargetImage of lsass.exe and a GrantedAccess of 0x1010 or 0x1410 is the Mimikatz dump signature.

Remediation: the architectural fix

There is no single setting that stops PtH. There is a model, and there are five controls that together implement it.

  1. Implement a tier model. Tier-0 (DCs, AD CS, ADFS, backup) admins log in only from PAWs. Tier-1 (servers) admins never log into tier-2 (workstations). Tier-2 admins never log into tier-1. Enforce with Authentication Policy Silos.
  2. Deploy LAPS (or Windows LAPS, the modern AD-integrated version) so that every workstation and server has a unique local administrator password rotated automatically. This kills the lateral SMB hash spray immediately.
  3. Enable Credential Guard on every supported endpoint. This isolates LSASS in a virtualization-protected container so Mimikatz cannot read hashes from it. Requires VBS-enabled hardware and tested driver compatibility.
  4. Add domain admins and other high-value accounts to the Protected Users group. This forces Kerberos AES-only, blocks NTLM authentication for those accounts, and disables credential delegation.
  5. Enforce User Rights Assignment via GPO: Deny log on through Remote Desktop Services and Deny log on locally for tier-2 accounts on tier-1 hosts and vice versa. This is the rule that actually stops the lateral movement when Credential Guard is bypassed.

The detection layer

Even with the architecture in place, alert on the residue. A type 9 logon for a non-admin account, a Mimikatz LSASS access pattern from Sysmon 10, or an NTLM authentication from a workstation to a tier-0 host are all high-fidelity signals. The combination of architecture and detection is what separates an environment where PtH dies on the workstation from one where it ends in domain compromise.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.