LSASS Protection
Implementing PPL (Protected Process Light) for LSASS can significantly hinder memory dumping attempts.
Active Directory: Pass-the-Hash and Pass-the-Ticket Lateral Movement
1. Pass-the-Hash (PtH): Exploiting NTLM
Section titled “1. Pass-the-Hash (PtH): Exploiting NTLM”Pass-the-Hash is the most common technique targeting the NTLM protocol. Since the protocol does not require the clear-text password but only its hash to prove identity, an attacker who recovers this hash can impersonate the user.
The Logic Flaw
Section titled “The Logic Flaw”NTLM relies on a challenge-response mechanism. The system only requires the result of a calculation performed with the hash. By providing the hash directly, the attacker circumvents the need for the original password.
Typical Execution Flow
Section titled “Typical Execution Flow”- Initial Compromise: The attacker gains administrator access on a first machine (e.g., a workstation).
- Secret Extraction: Using tools like Mimikatz, they dump the memory of the LSASS (Local Security Authority Subsystem Service) process, which contains NTLM hashes of recently logged-on users.
- Impersonation: The attacker identifies the hash of a high-privileged user (like a Domain Admin) and uses it to authenticate to critical servers or Domain Controllers.
2. Pass-the-Ticket (PtT): Abusing Kerberos
Section titled “2. Pass-the-Ticket (PtT): Abusing Kerberos”In modern environments where Kerberos is the preferred protocol, attackers use Pass-the-Ticket. Instead of a hash, they steal a Kerberos Ticket (TGT or Service Ticket).
The Logic Flaw
Section titled “The Logic Flaw”Kerberos tickets are the ultimate proof of identity. If an attacker possesses a valid ticket belonging to another user, the system treats them as that user for the duration of the ticket’s validity.
Investigation Path
Section titled “Investigation Path”Detection of PtT is notoriously difficult because the resulting Kerberos traffic appears perfectly legitimate. Analysts must focus on:
- Terminal Analysis: Searching for traces of tools like Mimikatz or Rubeus in memory or on disk.
- Process Injection: Monitoring for suspicious access to the LSASS process memory via EDR solutions.
- Abnormal Behavior: Detecting standard users accessing administrative resources unexpectedly.
3. Forensic Value & Detection Strategy
Section titled “3. Forensic Value & Detection Strategy”Understanding the “Patient Zero” is critical. The first compromised machine is where the “keys to the kingdom” were stolen.
Log Correlation
Section titled “Log Correlation”| Event ID | Description | Forensic Importance |
|---|---|---|
| 4624 | Successful Logon | Look for Logon Type 3 (Network) using NTLM on the target server. |
| 4672 | Special Privileges Assigned | Indicates that the session was opened with administrative rights. |
| 4768 / 4769 | Kerberos TGT/Service Ticket | Essential for tracking the flow of tickets in the domain. |
Tiered Admin Model
Separating administrative accounts from standard workstations limits the exposure of high-privilege hashes.
References & Further Reading
Section titled “References & Further Reading”- Microsoft: Protecting against Pass-the-Hash (PtH) attacks
- MITRE ATT&CK: Lateral Movement (TA0008)
- Related Analysis: Forensic Analysis of Shellbags (to track folder access during lateral movement).