{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pass-the-hash/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","pass-the-hash","ntlm-relay","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts containing artifacts indicative of NTLM relay or pass-the-hash (PtH) attacks. These techniques allow attackers to authenticate to systems without needing plaintext passwords, enabling lateral movement and privilege escalation. The rule focuses on identifying specific byte sequences and strings within PowerShell script blocks that suggest NTLM/SMB negotiation and credential access attempts. This detection helps defenders identify and respond to potential credential theft and abuse within their Windows environments. The rule is based on observed techniques used in various publicly available tools such as Invoke-TheHash, Check-LocalAdminHash, and PoshC2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system. This script could be directly executed or obfuscated to evade initial detection.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script attempts to perform NTLM relay or pass-the-hash attacks by utilizing specific byte sequences related to NTLM/SMB negotiation, such as \u003ccode\u003eNTLMSSPNegotiate\u003c/code\u003e or \u003ccode\u003e0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script may utilize tools like Invoke-WMIExec or Invoke-SMBExec to execute commands on remote systems using the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to other systems on the network using the relayed credentials or password hashes.\u003c/li\u003e\n\u003cli\u003eSuccessful authentication allows the attacker to move laterally, accessing sensitive data or escalating privileges on other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may deploy additional payloads or establish persistence mechanisms for continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful pass-the-hash or NTLM relay attack can grant an attacker unauthorized access to sensitive systems and data within the network. This can lead to data breaches, financial loss, or disruption of critical services. The impact could range from compromising a few systems to gaining domain administrator privileges, depending on the attacker\u0026rsquo;s goals and the network\u0026rsquo;s security posture. Organizations can experience significant financial and reputational damage due to data breaches and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary data for this detection. Refer to the setup instructions in the rule documentation for configuration details.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting Potential PowerShell Pass-the-Hash/Relay Scripts\u003c/code\u003e to your SIEM and tune it based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the scope and impact of the potential attack. Refer to the triage and analysis section in the rule documentation for guidance on investigation steps.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the impact of lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor authentication events (event codes 4624, 4625, 4648) for suspicious activity, such as NTLM authentication from unexpected source IPs or to unusual target systems, as described in the rule\u0026rsquo;s investigation notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-powershell-pth-relay/","summary":"This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.","title":"Detecting Potential PowerShell Pass-the-Hash/Relay Scripts","url":"https://feed.craftedsignal.io/briefs/2024-07-powershell-pth-relay/"}],"language":"en","title":"CraftedSignal Threat Feed — Pass-the-Hash","version":"https://jsonfeed.org/version/1.1"}