Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Pass the Hash” Detection with DDNA

Published byFrancis Walker Modified over 6 years ago

Similar presentations

Presentation on theme: "“Pass the Hash” Detection with DDNA"— Presentation transcript:

1 “Pass the Hash” Detection with DDNA
Phil Wallisch

2 The Need It is possible for “admin” users to dump LSA hashes on modern Windows platforms An attacker can impersonate any user by leveraging a captured hash No persistent malware is required to perform the attack. We must detect exited tools. Detect hash dumping/injecting capability in running processes

3 The Approach Locate attack remnants in unallocated memory
Identify active processes that exhibit hash grabbing characteristics

4 Attack Tools Examined Pass-The-Hash (PTH) Toolkit Gsecdump Pwdump6
Gsecdump Pwdump6

5 Attack Procedure Platform: Windows XP SP2 32bit running in VMWare Workstation 6.5. Two users added to the “administrator” group: ‘attacker’ and ‘victim’ Victim logs in via a standard interactive session The “switch user” functionality is executed Attacker logs in via a standard interactive session Attacker executes the hash dump functionality of the tool

6 PTH Toolkit Example

7 Gsecdump Example

8 Pwdump6 Example

9 Locate Attack Remnants
External Research: indicates that password hashes should not be present in virtual memory in their unencrypted form Internal Testing: performed a pattern matching string search across 54 memory images from a live corporate environment 60 malware infected memory images from a lab environment 3 separate memory images where hash dumping tools were individually run

10 Locate Attack Remnants (cont.)
Pattern Used: "\b[a-fA-F0-9]{32}:[a-fA-F0-9]{32}\b“ Word bounded search for two 32 hexadecimal character patterns separated by a colon Results: Live corporate images = 0 matches Malware infected images = 0 matches Hash dump memory images = 60 matches

11 Locate Attack Remnants (cont.)
Conclusion: DDNA should have a hard fact for the presence of a string pattern "\b[a-fA-F0-9]{32}:[a-fA-F0-9]{32}\b” in any location in memory including unallocated space. This hard fact indicates evidence of an unencrypted LSA hash in memory on a system of interest. This technique is a tool agnostic approach to discovering LSA tampering.

12 Active Processes Detection Goals:
Modules with LSA hash dumping capabilities Modules with LSA hash injecting capabilities Solution: DDNA traits covering PTH techniques Naming convention of DDNA traits: PTH_X where “X” = trait number

13 LSASS Injection - PTH_1 iam-alt.exe DDNA PTH_1 Research:
Regex Pattern: (virtualalloc|createremotethread|lsass.exe) Translate to AND logic in DDNA

14 LSASS Injection - PTH_1 (cont.)
gsecdump.exe pwdump6.exe

15 LSASRV.DLL Loading - PTH_2

16 Active Processes Conclusion
DDNA Traits Required: PTH_1: Hash Injection : Identify LSASS DLL injection : I“VirtualAlloc"ku AND I“CreateRemoteThread”ku AND I”lsass.exe”ku PTH_2: Hash Dumping : Identify LSASRV.DLL access : I”lsasrv.dll”ku NOT N”svchost.exe” NOT N”lsass.exe”

Download ppt "“Pass the Hash” Detection with DDNA"

Similar presentations

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
CSUF Chapter 3.2 1. CSUF Operating Systems Security 2.

CSUF Chapter CSUF Operating Systems Security 2.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Pass-The-Hash: Gaining Root Access to Your Network

Pass-The-Hash: Gaining Root Access to Your Network
Lab6 – Debug Assembly Language Lab

Lab6 – Debug Assembly Language Lab
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s.

2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server Sue’s.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Virtual Memory Chantha Thoeun. Overview  Purpose:  Use the hard disk as an extension of RAM.  Increase the available address space of a process. 

Virtual Memory Chantha Thoeun. Overview  Purpose:  Use the hard disk as an extension of RAM.  Increase the available address space of a process. 
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Forensic Artifacts From A Pass The Hash (PtH) Attack

Forensic Artifacts From A Pass The Hash (PtH) Attack
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Similar presentations

Ads by Google