Insider Threat Security Blog

Now that we’ve looked at how pass-the-hash and pass-the-ticket attacks work and what to do to detect them, let’s take a look at overpass-the-hash.  Basically, this is a combination of both attacks. The idea of overpass-the-hash is for an attacker to leverage the NTLM hash of another user account to obtain a Kerberos ticket which can be used to access network resources. This can come in handy if you are only able to obtain the NTLM hash for an account,…

Read More Read More

In our first post of the series, we looked at some interesting ways to detect the pass-the-hash attack. Pass-the-hash is an effective approach for exploiting NTLM authentication within an Active Directory domain. Pass-the-ticket is an alternate approach which leverages Kerberos authentication to perform lateral movement.  In this post we will dive into how this attack works and what you can do to detect it. How Pass-the-Ticket Works In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket…

Read More Read More

This is the first in a 3-part blog series, that will be followed by a webinar February 28th. Lateral movement techniques are one of the most common approaches attackers can use to infiltrate your network and obtain privileged access to your credentials and data. This has been seen recently with modern ransomware such as SamSam and Ryuk. We’ve looked recently at how to detect pass-the-hash attacks using honeypots and in doing research into the most effective ways to detect this type…

Read More Read More

So far in this series, we’ve learned about the HoneyHash, a useful honeypot technique for detecting Pass-the-Hash and credential theft within a Windows environment.  We then looked into how to monitor for an attacker triggering the honeypot, and how to gather the necessary forensic details to investigate the attack.  Now let’s look at what you need to do to roll out the honeypot across multiple endpoints in your environment. There are some basic challenges we need to consider.  First, we…

Read More Read More

In our first post of this series, we explored the Honeyhash, and how it can be used to create a honeypot to catch attackers performing credential theft and pass-the-hash attacks.  Now that our trap is set, we need to make sure we can catch any attacker in the act who may fall for it. The concept of detection for the Honeyhash is simple.  We put a fake account in memory on a system, so let’s see if anybody tries to…

Read More Read More

Credential theft within Windows and Active Directory continues to be one of the most difficult security problems to solve.  This is made clear in the Verizon DBIR where it is reported that the use of stolen credentials is the #1 action identified across data breaches. Microsoft has acknowledged this challenge and responded with a guide on how to mitigate the Pass-the-Hash attack.  They have expanded on their recommendations and outlined steps to set up a tiered Active Directory environment and…

Read More Read More

In this series, we’ve learned about DCShadow and covered attack scenarios to demonstrate how this can be used for an attacker to create persistence as well as elevate privileges across forests.  Now that we know the risks involved with DCShadow, let’s cover what you can do to detect this in your environment. First, let’s recap the basics: The purpose of DCShadow is to make changes that will not be detected by event logs, so you will not be able to…

Read More Read More