Microsoft Defender for Identity Alert Details
Alert ID: MDI-PASS-HASH-1550-7842 Alert Time: 2024-03-12 09:30:15 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Identity Rule: “Pass-the-Hash Attack Detected” MITRE ATT&CK: T1550.002 – Use Alternate Authentication Material: Pass the Hash
Alert Details:
Detection: NTLM authentication using hash instead of password (Pass-the-Hash)
Source Host: 192.168.45.78 (ENG-WS-045 – Engineering Workstation) Destination: 192.168.10.20 (FILESRV-02 – File Server) User: rpatel@company.com Time: 09:25 EST
Authentication Details:
Protocol: NTLM (not Kerberos)
Authentication Type: NTLMv2
Hash Present: Yes (passed hash, no password)
Session Key: Derived from hash
Target Service: CIFS (file access)
Anomaly Detection:
User rpatel normally uses Kerberos for authentication
NTLM usage unusual for this user in this context
Source host is engineering workstation (not IT)
Multiple previous failed logins from same source
Pattern matches Pass-the-Hash attack
Additional Context:
rpatel’s account had been flagged for suspicious activity
Host 192.168.45.78 was compromised earlier (Cobalt Strike)
Attacker using stolen hash to move laterally
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed Pass-the-Hash attack
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has active Cobalt Strike beacon
3. Immediate Action
Isolate source host
CrowdStrike
ENG-WS-045 quarantined
4. Account Remediation
Reset rpatel password
Azure AD, AD
Password reset; force logoff
5. Hash Revocation
N/A (hashes reset with password)
–
–
6. Threat Hunting
Check for other Pass-the-Hash activity
MDI, Splunk
No other instances found
Jira Incident Report
Ticket: SOC-2024-206 Summary: T1550.002 – Pass-the-Hash Attack from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Blocked Priority: P1 – CRITICAL Labels: T1550, pass-the-hash, lateral-movement, mdi, compromised-host Components: Identity-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Pass-the-Hash Attack Detected”.
Source Host: ENG-WS-045 (Engineering, IP 192.168.45.78).
Target: FILESRV-02 (File Server).
User: rpatel@company.com (compromised).
Time: 2024-03-12 09:30 EST.
Technique: MITRE ATT&CK T1550.002 – Use Alternate Authentication Material: Pass the Hash.
2. Technical Analysis:
Attack Chain:
08:30 – rpatel account compromised via phishing
08:45 – Attacker logs into ENG-WS-045 via RDP
08:50 – Attacker dumps hashes from LSASS using Mimikatz
09:00 – Attacker uses rpatel’s hash to authenticate to FILESRV-02 (Pass-the-Hash)
09:10 – Attacker accesses files on file server
09:25 – MDI detects
Pass-the-Hash Technique:
Attacker obtained NTLM hash of rpatel’s account
Used hash to authenticate without knowing plaintext password
Bypassed need for password
Allowed lateral movement to file server
Compromised Host:
ENG-WS-045 had active Cobalt Strike beacon
Mimikatz used to extract hashes
Multiple hashes stolen (including rpatel)
Successful Lateral Movement:
Attacker accessed \filesrv-02\finance (financial documents)
Viewed 5 files (no download logs)
No data exfiltration detected
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
08:50 – Hash extraction
09:00 – Lateral movement to file server
09:25 – MDI detects
09:27 – SOC investigates
09:28 – ENG-WS-045 isolated
09:29 – rpatel password reset
Indicators of Compromise (IoCs):
Host:
– ENG-WS-045 (compromised)
Account:
– rpatel (hash stolen, password reset)
Tools:
– Mimikatz (SHA256: a1b2c3d4…)
– Cobalt Strike beacon (SHA256: b2c3d4e5…)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Reset rpatel password.
Forced logoff of all active sessions.
Revoked any active tokens.
Host Remediation:
Full forensic analysis.
Cobalt Strike beacon removed.
Host reimaged.
Data Protection:
Reviewed accessed files on file server (5 files, non-sensitive).
No data exfiltration confirmed.
5. Root Cause Analysis:
Primary Cause: User credentials compromised, leading to hash theft and lateral movement.
Contributing Factors:
No MFA on account.
LSASS accessible (no Credential Guard).
Network segmentation insufficient.
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: Files viewed but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Host isolated and cleaned.
Password reset.
Hashes invalidated.
Technical Controls Enhanced:
Enabled Credential Guard on all endpoints.
Restricted lateral movement via network segmentation.
Enhanced MDI monitoring for Pass-the-Hash.
8. Conclusion:
An attacker used compromised credentials to dump hashes and perform a Pass-the-Hash attack, moving laterally to a file server. MDI detected the anomalous NTLM authentication and enabled rapid containment.
Closure Rationale: Lateral movement blocked; host cleaned; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 10:30 EST