Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Monday, August 12, 2013

The "Pass-The-Hash" (PTH) Attack is NOT the Top (#1) Security Risk to Microsoft Windows Server / Active Directory Environments


Hope you're well. Sorry for the momentary absence. Time to blog is just not a luxury I can afford these days given my responsibilities. However, I did want to take a few moments to share a thought on something that so many believe is the #1 risk to Active Directory deployments...

Pass-the-Hash (PTH) Attack

... it is widely believed that the Pass-The-Hash (PTH) attack is the #1 attack against Active Directory deployments, primarily because it can be used to easily obtain administrative access i.e. the keys to the kingdom in Active Directory deployments.

It is undoubtedly a powerful attack vector because, with the right tooling, it provides an insider a relatively easy way to obtain powerful, unrestricted administrative access in an Active Directory environment.

However, it is most certainly NOT the top attack vector against Active Directory. There is at least ONE attack vector which makes it far easier to obtain administrative access in Active Directory deployments than does the PTH attack vector.

Unlike the pass-the-hash attack vector which absolutely requires a victim to have logged on to a computer owned by the attacker, the #1 attack vector has no such requirements. In fact, it does not require the victim to logon to any particular computer, and it most certainly does not require the use of such advanced tooling such as hash capture and replay tools.

(If only folks who built these sophisticated hash capture and replay tools would've thought out-of -the-box, they could've saved themselves a lot of painstaking effort. Oh well, I suppose if they were Active Directory security experts, they would have figured this out way back.)

The attack vector I am referring to is far easier to carry out than to carry out the PTH attack vector, and it can be carried out by any insider, without requiring any technical know-how or hacking prowess. In fact, its attack surface is substantially vaster, and with the right tooling, it could be used to obtain administrative access in Active Directory environments almost instantly.

(The good news is that, with the right capabilities, it can be reliably mitigated (more on that later), and it doesn't require the use of advanced security measures such as Authentication Mechanism Assurance.)

We have reason to believe that certain Advanced Persistent Threats may have gotten adrift of it, and may be in the process of developing exploits, so to help organizations worldwide put adequate risk mitigation measures in place before such exploits make their way, we'll share the knowledge of this attack vector and its mitigation shortly.

The only other thing I'll add is that it is not based on any classified information. In fact it is based on a very logical premise, and if anything, only involves a little bit of novel thinking and common sense. However, as goes the old saying, "common sense is not so common."

I'll share it with you on Sep 12, 2013 on this blog. Until then, here's a hint - Top 5 Active Directory Security Risks

September 12, 2013 Update: Here is the link to the declassified risk -

Best wishes,

PS: What surprises me is that even prominent cyber security experts don't seem to have a clue about this specific vector!

No comments:

Post a Comment