Microsoft Defender for Identity Alert Details
Alert ID: MDI-ALTERNATE-AUTH-1550-7842 Alert Time: 2024-02-26 09:30:15 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Identity Rule: “Pass-the-Hash Attack Detected” MITRE ATT&CK: T1550.002 – Use Alternate Authentication Material: Pass the Hash
Alert Details:
Detection: NTLM authentication using hash instead of password (Pass-the-Hash)
Source Host: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 192.168.10.10 (DC-01 – Domain Controller) User: rpatel@company.com Time: 09:25 EST
Authentication Details:
Protocol: NTLM (not Kerberos)
Authentication Type: NTLMv2
Hash Present: Yes (passed hash, no password)
Session Key: Derived from hash
Target Service: CIFS (file access)
Anomaly Detection:
User rpatel normally uses Kerberos for authentication
NTLM usage unusual for this user in this context
Source host is engineering workstation (not admin)
Multiple previous failed logins from same source
Pattern matches Pass-the-Hash attack
Additional Context:
rpatel’s account had been flagged for suspicious activity
Host 192.168.45.78 was compromised earlier (Cobalt Strike)
Attacker using stolen hash to move laterally
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed Pass-the-Hash attack
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has active Cobalt Strike beacon
3. Immediate Action
Isolate source host
CrowdStrike
ENG-WS-045 quarantined
4. Account Remediation
Reset rpatel password
Azure AD, AD
Password reset; force logoff
5. Hash Revocation
Force domain-wide password reset
AD
All users? No, only targeted account
6. Threat Hunting
Check for other Pass-the-Hash activity
MDI, Splunk
No other instances found
Jira Incident Report
Ticket: SOC-2024-131 Summary: T1550 – Pass-the-Hash Attack from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Blocked Priority: P1 – CRITICAL Labels: T1550, pass-the-hash, alternate-authentication, mdi, lateral-movement Components: Identity-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Pass-the-Hash Attack Detected”.
Source Host: ENG-WS-045 (Engineering, IP 192.168.45.78).
Target: DC-01 (Domain Controller).
User: rpatel@company.com.
Time: 2024-02-26 09:30 EST.
Technique: MITRE ATT&CK T1550.002 – Use Alternate Authentication Material: Pass the Hash.
2. Technical Analysis:
Attack Chain:
08:00 – rpatel’s credentials compromised via phishing
08:30 – Attacker logs into ENG-WS-045 using compromised credentials
08:45 – Attacker dumps hashes from LSASS memory using Mimikatz
09:00 – Attacker uses rpatel’s hash to authenticate to file server (successful)
09:15 – Attacker uses hash to access other resources
09:25 – Attacker attempts to authenticate to DC-01 using hash
09:25 – MDI detects Pass-the-Hash anomaly
Pass-the-Hash Technique:
Attacker obtained NTLM hash of rpatel’s account
Used hash to authenticate without knowing plaintext password
Bypassed need for password
Allowed lateral movement to file server and attempted DC
Compromised Host:
ENG-WS-045 had active Cobalt Strike beacon
Mimikatz used to extract hashes
Multiple hashes stolen (including rpatel)
Successful Authentications (before detection):
\filesrv\finance (file server) – accessed 12 files
\sqlsrv\ (SQL server) – queried (no data extracted)
DC-01 – attempted, blocked by MDI alert
3. Investigation Findings:
Timeline:
08:00 – Credentials compromised
08:30-09:00 – Hash extraction
09:00-09:20 – Lateral movement to file server
09:25 – Pass-the-Hash to DC detected
09:27 – SOC investigates
09:28 – ENG-WS-045 isolated
09:29 – rpatel password reset
Indicators of Compromise (IoCs):
Host:
– ENG-WS-045 (compromised)
Account:
– rpatel (hash stolen, password reset)
Tools:
– Mimikatz (SHA256: a1b2c3d4…)
– Cobalt Strike beacon (SHA256: b2c3d4e5…)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Reset rpatel password.
Forced logoff of all active sessions.
Revoked any active tokens.
Host Remediation:
Full forensic analysis.
Cobalt Strike beacon removed.
Host reimaged.
Data Protection:
Reviewed accessed files on file server (12 files, non-sensitive).
No data exfiltration confirmed.
5. Root Cause Analysis:
Primary Cause: User credentials compromised, leading to hash theft and lateral movement.
Contributing Factors:
No MFA on account.
LSASS accessible (no Credential Guard).
Network segmentation insufficient.
6. Business Impact:
Operational Impact: Engineering host offline for reimage; user offline for password reset.
Security Impact: Lateral movement achieved; DC access prevented.
7. Remediation & Prevention:
Completed Actions:
Host isolated and cleaned.
Password reset.
Hashes invalidated.
Technical Controls Enhanced:
Enabled Credential Guard on all endpoints.
Restricted lateral movement via network segmentation.
Enhanced MDI monitoring for Pass-the-Hash.
8. Conclusion:
An attacker used compromised credentials to dump hashes and perform Pass-the-Hash attacks, moving laterally to a file server and attempting domain controller access. MDI detected the anomalous authentication and enabled rapid containment.
Closure Rationale: Lateral movement blocked; host cleaned; account secured.
Analyst: [Walter White], SOC Analyst Date: 2024-02-26 10:30 EST