ĭo not allow a domain user to be in the local administrator group on multiple systems. Through GPO: Computer Configuration > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons. The associated Registry key is located HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy. Įnable pass the hash mitigations to apply UAC restrictions to local accounts on network logon.
#Hashtab windows Patch#
Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.Īpply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.
PoshC2 has a number of modules that leverage pass the hash for lateral movement. Pass-The-Hash Toolkit can perform pass the hash. ĭuring Night Dragon, threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers. Mimikatz's SEKURLSA::Pth module can impersonate a user, with only a password hash, to execute arbitrary commands. Kimsuky has used pass the hash for authentication to remote access software used in C2. HOPLIGHT has been observed loading several APIs associated with Pass the Hash. GALLIUM used dumped hashes to authenticate to other machines via pass the hash. Įmpire can perform pass the hash attacks. ĬrackMapExec can pass the hash to authenticate via SMB. Ĭhimera has dumped password hashes for use in pass the hash authentication attacks. ĪPT32 has used pass the hash for lateral movement. ĪPT28 has used pass the hash for lateral movement. The APT1 group is known to have used pass the hash.
0 kommentar(er)
