By Nick Gailloux

Protect against Pass-the-Hash with Azure ATP

March 22, 2018

What is Pass-the-Hash?

For the unfamiliar, a pass-the-hash attack involves capturing the NTLM hash of a user’s password that is stored in the memory of any workstation running Windows, and then replaying that hash to other systems. In other words, an attacker can use your password hash to gain access to other systems without needing to know your actual password.

Imagine that you are an employee in the finance department, but you have been granted administrative rights to your workstation. An attacker manages to gain administrative rights to your workstation using a zero-day exploit. The attacker then waits for a helpdesk employee to log on to your workstation (they might even break something on your workstation to expedite this). Once the helpdesk employee logs on, the attacker then captures the helpdesk employee’s password hash. Of course, a helpdesk employee will have administrative rights to many other workstations, probably even the workstation used by a System Administrator with Domain Administrator credentials. As you can see, the lateral movement and privilege escalation are quite simple, and the number of steps from the initial attack to having Domain Administrator credentials can be as few as three. In fact, Microsoft tells us that many attacks are executed this way.

Why is this still an issue after over 15 years? Storing the password hash in memory is by design, as part of Microsoft’s single sign-on functionality. Windows 10 is the first operating system to provide protection against pass-the-hash attacks by storing your password hash in a highly secured, virtualized area of memory. This feature is called Credential Guard, but its not turned on by default.

What is Azure Advanced Threat Protection?

Back in February 2018, Microsoft quietly announced the launch of Azure Advanced Threat Protection or Azure ATP. Azure Advanced Threat Protection is the cloud version of the on-prem product Microsoft Advanced Threat Analytics.

Both the on-prem and cloud offering provides protection for your on-prem authentication by monitoring your Active Directory Domain Controllers, looking for abnormal behaviour, misconfigurations, or commonly known attacks (including pass-the-hash). They even employ a honeytoken feature that plants fake administrative accounts in your environment as bait for attackers.  For more information on Azure ATP, see What is Azure Advanced Threat Protection?

How do I deploy Azure Advanced Threat Protection?

With the newly released Azure Advanced Threat Protection, deployment is significantly simplified over the on-prem Microsoft Advanced Threat Analytics. Deploying Azure Advanced Threat Protection is as simple as installing the collector agent (called the Lightweight Gateway) on each Active Directory Domain Controller in your environment. The Lightweight Gateway forwards metadata to the Azure Advanced Protection cloud service, where the data is analyzed. Deployment only takes about five minutes per domain controller, and deployment can be automated for larger environments. The Lightweight Gateway can utilize up to a gigabyte of memory, so be sure to check Microsoft’s sizing guidance and your Domain Controllers baseline memory utilization.

How do I license Azure Advanced Threat Protection?

There is a good chance you could already have a license for either Azure ATP or Microsoft ATA. If you are an Enterprise Agreement customer with Core CAL, or, if you have Microsoft 365 E3 or Enterprise Mobility and Security (EMS) E3 licenses, you could already be covered. Contact us today to find out if you are covered, and how to get started.

Loading Conversation