2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s.

Pass-the-Hash: How Attackers Spread and How to Stop ThemMark Russinovich Technical FellowMicrosoft Azure

Nathan Ide Principal Dev LeadMicrosoft Windows

Pass-the-Hash == Single-Sign OnPass-the-hash is the use of a saved credential or authenticator

It exists solely to support single-sign on (SSO)

If you want SSO, you are exposed to PTH

In other words:If you want SSO, pass-the-hash cannot be “fixed”

This is not a “Windows problem”

There are two types of pass-the-hash:Credential reuse: using the saved credential on the system on which it was saved

Credential theft: taking the saved credential to another system and using it from there

2

Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:

Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos

Pass-the-HashAgenda

User: SuePassword hash: C9DF4E…

Single-Sign On, ExplainedSue’s Laptop

User: SuePassword: a1b2c3

Sue’s User SessionUser: SuePassword hash: C9DF4E…

File Server

1

2

3

Sue’s User Session4

1. Sue enters username and password2. PC creates Sue’s user session3. PC proves knowledge of Sue’s hash to Server4. Server creates a session for Sue

User: FredHash:A3D7

Fred’s LaptopFred’s User SessionUser: FredPassword hash: A3D7…

Sue’s LaptopSue’s User Session

Pass-the-Hash Technique

Malware User SessionUser: FredPassword hash: A3D7…

Malware User SessionUser: FredHash: A3D7

User: SueHash: C9DF

User: SuePassword hash: C9DF…

File Server

User: SueHash:C9DF

1 2 3

1. Fred runs malware2. Malware infects Sue’s laptop as Fred3. Malware infects File Server as Sue

Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:

Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos

Pass-the-HashAgenda

Windows Pass-the-Hash in the News

7

The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing

all of it with an image of a burning American flag.

“… I wouldn’t say the vendor had AD credentials but that the internal administrators would

use their AD login to access the system from inside. This would mean the sever had access to

the rest of the corporate network ...”

Windows Pass-the-Hash in Mark’s Inbox

PsExec EULAYou are not permitted to

use PsExec for illegal activity.

Windows Single-Sign On Architecture

User: SueHash: C9DF4E…

Sue’s Laptop PTHDemo-DC

Local Security Authority (LSASS)

NTLM

Digest

Kerberos

NTOWF: C9DF4E56A2D1…

Password: a1b2c3

Ticket-Granting

Ticket

Service TicketService TicketService Ticket

Service Ticket

Password: a1b2c3

User: Sue

192.168.1.1

Service Ticket

“Credential footprint”

PTHDemo-DC

Windows Pass-the-Hash “Discovery”

Microsoft published Pass-the-Hash guidance in December 2012.

Highlighted best practices and dispelled urban legends

Microsoft Guidance

Pass-the-Hash Tools on Windows

Sue’s Laptop

Local Security Authority (LSASS)

NTLM

Digest

Kerberos

NTOWF: C9DF4E56A2D1…

Password: a1b2c3

Ticket-Granting

TicketCredentia

l Store

Service TicketService TicketService Ticket

Service Ticket

NTOWF: A3D723B95DA…

Demo

Pass-the-Hash with Windows Credential Editor

Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:

Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos

Pass-the-HashAgenda

Problem: Local Account Traversal

Fred’s Laptop

Security Accounts Manager

User: AdminHash:A2DF…

User: AdminHash:A2DF…

Sue’s Laptop

Security Accounts Manager

User: AdminHash:A2DF…

Two new well-known groups:

“Local account”

“Local account and member of

Administrators group”

Useful for restricting access

Local Account Mitigations

Demo

Local Account Mitigations

Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:

Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos

Pass-the-HashAgenda

Problem: Domain Credential Harvesting

Sue’s Laptop

Local Security Authority (LSASS)

NTLM

Digest

Kerberos

NTOWF: C9DF4E56A2D1…

Password: a1b2c3

Ticket-Granting

Ticket

Credential Store

Service TicketService TicketService Ticket

Service Ticket

Reduced credential footprint

Aggressive session expiry

New “Protected Users” RID

Hardened LSASS process

Domain Account Mitigations

Demo

Domain Account Mitigations

Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:

Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos

Pass-the-HashAgenda

Problem: Remote Administration

User: SuePass:a1b2c3

Fred’s LaptopSue’s Helpdesk PCRemote Desktop Client

LSASSNTLM NTOWF:

C9…DigestPass:

a1b2c3Kerberos

TicketTicketTicket

Mimikatz

Credential Store

Restricted Administration ModeRestricted Administration Mode allows remote administrators to connect without delegationAttaches machine credentials to session

Demo

Restricted Remote Administration

Pass-the-Hash TechniquePass-the-Hash on Windows TodayNew Windows Mitigations:

Local AccountDomain AccountRestricted Remote AdministrationAuthentication Policies and Silos

Pass-the-HashAgenda

Problem: Privileged User Credential Replay

IT admin terminal

Domain ControllerUser:

Sue

Lobby kiosk

User:

Sue

User:

Sue

Fred

Sue

Enable isolation of users or resources

Keeps user in their silo

Prevents outside access to silo

2012R2 domains support Authentication Policies and Silos

Policies allow custom ticket lifetime and issuance conditions

Can restrict users and service accounts

Authentication Policies and SilosPTHDemo Domain

“Sue Lockdown” Authentication Silo

Users

SueFred

“Sue Lockdown” Authentication PolicyTicket lifetime:4 hours

Conditions: Users use Silo PCs

Computers

Fred-PC Sue-PC

Policy:“Sue Lockdown”

Members: Sue; Sue-PC

Silo:Sue …

Silo:Sue …

Demo

Authentication Policies and Silos

Mitigations on Windows 7 and Windows 8.1

The following features will be available on Windows 7 and Windows 8.1:

Local account well-known groupsReduced credential footprintRDP client /restrictedadminProtected Users

ConclusionComprehensive network security must address Pass-the-HashNew Windows mitigations are available

Local account protectionsDomain account protectionsProtected domain accountsAuthentication policies and Silos

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.