PTH and PTT attacks are commonly known methods that attackers use for their lateral movement in a domain environment. We’ve seen them for a long time in the industry, but the constant pursuit after the detection of those attack methods isn’t over yet.
They’re really hard to detect because these attacks leverages legitimate Active Directory operations in order to achieve their goals, which is eventually – getting higher permissions inside the domain environment context, and being able to move laterally into more sensitive and desirable locations.
Detecting both of these attacks are mostly being done by Active Directory event logs analysis and monitoring, we want to give you another take on how to detect them.
There are other techniques, that can give you the ability to find out if some sort of credentials theft has been executed on a local or remote endpoint using few WMI commands and some minor PowerShell involvement, by simply looking on their logic and how they operate.
Pass-The-Ticket (PTT) Explained
Pass-The- Ticket attacks is usually performed via hijacked Kerberos tickets that being dumped from the exposed Lsass.exe process that resides in Windows’s OS memory.
The attacker re-uses the ticket by injecting them into his logon session and takes over the ticket’s user permissions.
The detection of Pass-The- Ticket attack performed with the usage of the following WMI queries and KLIST windows utility.
1. Win32_LoggedOnUser – To query all the active Users on the target host (Username, associated session IDs).
2. Win32_LogonSessions – To query all the active logon sessions on the target host (Session IDs).
3. Correlate between the username, the session ID and execute the KLIST command to each unique session, to determine all the associated Kerberos Tickets of these sessions.
4. Once we find a Kerberos ticket that doesn’t belong to his session owner, it means that someone has injected it to his session, clear indication for Pass-The-Ticket Attack.
This is a very efficient method that can be very valuable when investigating suspicious endpoints that are part of an incident in your environment, to understand what kind of credentials have been exposed and what is the magnitude of the damage that’s being done. By looking at the service tickets that were generated in the injected session we can actually pinpoint to the specific assets that were compromised in this attack.
Pass-The-Hash (PTH) Explained
Pass-The- Hash attacks is usually performed by dumping the connected user password’s hash (AKA NTLM hash) from memory and instead of using a clear text password to authenticate a user, the hash is passed straight to a remote host as an NTLM authentication instead of requesting service ticket from the domain controller using Kerberos, therefore the actual authentication occurs on the target endpoint.
The detection of Pass-The-Hash attack can also be done with the same WMI queries, but this time we will try to detect any “Negotiation” logon sessions that contains the Logon Type ‘9’. There’s a high severity that Pass-The- Hash attack will be executed via this method, and the only time that you’ll see Logon Type ‘9’ in “Negotiation” session will be if someone is using run-as command with the “net-only” parameter, which is not something you see every day in normal environments, so the false positive rate in this method is very low.
Meaning, encountering “Negotiation”; logon session with Logon Type 9 usually means someone tried to pass-the-hash instead of entering the username’s password.
Pass-The-Hash Detection Demonstration
Using Benjamin Delpy’s Mimikatz tool, we’ll execute PTH attack:
And with our PTH detection tool, you’ll see the abnormal “Negotiation” session with Logon Type 9, and from what session (aka, what user execute the PTH attack from):
This method was also tested with various PTH tools, and it’s confirmed working 🙂
Using Benjamin Delpy’s Mimikatz tool, we’ll execute PTT attack on already dumped tickets, and then execute the PTT detection script.
As you can see the injected ticket is visible to all, clearly showing that the krbtgt ticket of”m6″ was injected into the user – javelin’s session.
download the Get-SessionAnomaly PowerShell script (Supports PS 2.0 and above)