Skip to main content
Skip to main content
Microsoft Security

New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash

  • Tim Rains

Author:  Matt Thomlinson, General Manager, Trustworthy Computing

Targeted attacks by determined adversaries (also known as Advanced Persistent Threats or APTs) have been a hot topic recently.  Although targeted attacks continue to make up a small fraction of the attacks we see today, reports of attacks targeting organizations and governments have attracted a lot of attention. We know that one of the first things determined adversaries do if they are able to successfully compromise their target organization’s network is to try to compromise the organization’s directory services.  The reason is clear: a directory service contains the credentials that users, administrators and systems use to authenticate to the network and get access to the organization’s resources.  If attackers are able to obtain administrative access to Active Directory, the organization becomes completely compromised.

In a large number of the targeted attacks we have seen, attackers have attempted to use a “Pass-the-Hash” (PtH) technique to get access to credentials. Today, Microsoft is publishing a comprehensive whitepaper that contains mitigations and guidance called “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.”  Given the prevalence of these attacks, we wanted to ensure customers had the most comprehensive guidance to help them implement these tested mitigations. 

PtH is an attack that uses a technique in which an attacker captures account logon credentials on one computer, and then uses those captured credentials to authenticate to other computers on the network. It is important to recognize that this is the second stage of an attack – first the attacker must penetrate and compromise a computer to obtain credentials stored on that computer. A PtH attack is very similar in concept to a password theft attack, but it relies on stealing and reusing password hash values rather than the actual plaintext password. The password hash value, which is a one-way mathematical representation of a password, can be used directly as an authenticator to access services as that user through Single Sign-On (SSO) authentication.

The whitepaper released today details practical and effective mitigations to help prevent against PtH attacks.  It rates their effectiveness, effort required and details whether it blocks privilege escalation and/or lateral movement.  Based on our analysis, there are three primary mitigation strategies Microsoft recommends to help defend against PtH attacks using currently available security mechanisms on our Windows operating system.

Mitigation #1– Restrict and protect high privileged domain accounts – Restricts the ability of administrators to inadvertently expose privileged credentials to higher risk computers.

Mitigation #2– Restrict and protect local accounts with administrative privileges – Restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks.

Mitigation #3– Restrict inbound traffic using the Windows Firewall – Restricts attackers from initiating lateral movement from a compromised workstation by blocking inbound connections on all workstations with the local Windows Firewall.

The table below categorizes the different mitigations and provides additional recommendations and analysis of other potential mitigations.

This paper is designed to provide IT Professionals with clear, concise and actionable guidance that can be implemented within their organization today to help protect against PtH attacks.  The PtH mitigations in this paper were developed by a number of security teams across Microsoft including Microsoft Server and Tools Business, Microsoft Consulting Services (MCS), Microsoft IT Information Security and Risk Management, Microsoft Office 365 Security, Microsoft Windows Security and Identity Team, Interactive Entertainment Business and Microsoft Trustworthy Computing. 

If you’re looking for guidance on mitigating against Pass-the-Has or other credential theft, I strongly encourage you to read this whitepaper and apply the guidance provided in your environment. Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques_English.pdf

Matt Thomlinson
General Manager
Trustworthy Computing