What is NTLM?

NTLM (NT LAN Manager) is a suite of Microsoft security protocols designed to provide authentication and encryption for users accessing network resources. NTLM was introduced in the early versions of Windows and is now largely considered outdated, yet it remains prevalent in various systems due to compatibility with legacy applications and networks.

Data Stored in NTLM:

NTLM stores crucial credential data in the form of hashes rather than plaintext passwords, enhancing security by preventing exposure of actual passwords. The primary types of data associated with NTLM include:

1. User Password Hashes: NTLM generates a hash from a user’s password, which is stored in a secure location. When a user attempts to authenticate, the system hashes the input password and compares it to the stored hash.

2. Challenge/Response Mechanism: NTLM uses a challenge/response mechanism for authentication. When a user logs in, the server sends a challenge to the client. The client then uses its password hash to compute a response, which is sent back to the server for validation.

3. Session Keys: NTLM can generate session keys during authentication to encrypt communications between the client and server, ensuring confidentiality and integrity of data exchanged during the session.

4. Security Identifiers (SIDs): NTLM also utilizes SIDs to uniquely identify users and groups within Windows environments, facilitating access control and permissions management.

Overall, NTLM provides a means for secure authentication, though organizations are encouraged to migrate to more modern protocols like Kerberos for enhanced security and functionality.

NTLM Hash Dumping

NTLM hash dumping is a technique used by attackers to extract NTLM password hashes from a compromised system. This activity typically occurs after an attacker gains administrative privileges on a Windows workstation or server. The primary targets for hash dumping include:

1. LSASS Process Memory: NTLM hashes are stored in the memory of the Local Security Authority Subsystem Service (LSASS), which is responsible for enforcing security policies and managing user authentication.

2. NTDS.dit File: In domain controllers, NTLM hashes are stored within the NTDS.dit file, which contains Active Directory data, including user credentials.

Main

This activity occurs during the post-exploitation phase, which involves leveraging compromised access to an endpoint asset, such as a workstation or server, with administrator-level user privileges. At this stage, the attacker can execute various techniques to extract sensitive information, including credential data, enabling further unauthorized access and lateral movement within the network.

Once attackers extract NTLM hashes, they can use them in pass-the-hash attacks, enabling unauthorized access or lateral movement within a network. This article outlines the methods of NTLM hash extraction, detection strategies using SIEM and EDR queries.

1. Extracting NTLM Hash from a Workstation Using ProcDump

ProcDump is a native Windows utility often misused by attackers to dump LSASS (Local Security Authority Subsystem Service) memory, which may contain NTLM hashes.

Steps:

1. The attacker executes procdump.exe to dump LSASS’s memory into a dump file.
2. The dump file (e.g., lsass.dmp) contains NTLM hashes that the attacker can use to authenticate or escalate privileges.

Example command:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Lucene detection query:
SIEM: process_name:"procdump.exe" AND event_id:4688 AND command_line:"lsass.exe"

EDR: process_name:"procdump.exe" AND command_line:"lsass.exe"

Chances of False Positives:

• High: ProcDump is a legitimate tool used for troubleshooting. Its usage in normal administrative tasks could trigger false positives, especially if it’s part of routine debugging or support activities.