Potential Pass-the-Hash (PtH) Attempt Detection

Pass-the-Hash (PtH) is a technique where attackers leverage stolen password hashes to authenticate and move laterally within a Windows environment, bypassing standard system access controls. Instead of needing the plaintext password, adversaries use a hash of the password to authenticate to a remote service or server. This detection rule focuses on identifying potential PtH attempts by monitoring for successful logins using specific user IDs (S-1-5-21-* or S-1-12-1-*) and the seclogo logon process, which is commonly associated with credential theft and misuse. The rule aims to detect anomalous authentication patterns indicating that an attacker is using PtH to gain unauthorized access to systems. This is important because successful PtH attacks can lead to widespread compromise of sensitive data and critical infrastructure.

Attack Chain

1. The attacker gains initial access to a system through phishing or exploiting a vulnerability.
2. The attacker dumps password hashes from the compromised system using tools like Mimikatz.
3. The attacker identifies a target system within the network.
4. The attacker uses the stolen password hash to authenticate to the target system using the seclogo logon process.
5. Windows validates the hash, granting the attacker access without requiring the plaintext password.
6. The attacker successfully authenticates with the stolen credentials and a user ID matching the pattern S-1-5-21-* or S-1-12-1-*.
7. The attacker leverages their unauthorized access to move laterally to other systems or access sensitive data.
8. The attacker achieves their final objective, such as data exfiltration or deploying ransomware.

Impact

Successful Pass-the-Hash attacks can lead to significant damage, including unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Organizations can experience financial losses, reputational damage, and operational disruptions. While the specific number of victims is not stated, PtH is a common technique used in many breaches, potentially affecting any organization that relies on Windows authentication.

Recommendation

• Enable Audit Logon to generate the necessary Windows Security Event Logs as referenced in the setup instructions https://ela.st/audit-logon.
• Deploy the Sigma rule to your SIEM to detect potential Pass-the-Hash attempts. Tune the rule to account for legitimate uses of the seclogo logon process.
• Investigate any alerts generated by the Sigma rule, focusing on correlating the successful authentication events with other security logs to identify any lateral movement or access to sensitive systems.
• Review and update access controls and permissions for the affected accounts to ensure they adhere to the principle of least privilege after an incident, as detailed in the Response and Remediation section.