It does not matter where or how the attack started – while many attacks start with credentials, at some point all attacks look like an insider. On this premise, we believe that reducing the effectiveness of known attack techniques is as important as ever.
Practitioners need to educate users, reduce the use of administrative privileges in an organization, actively avoid RDP, and do as much as possible to eliminate NTLM authentications. In spite of the progress Microsoft has made in recent years to mitigate known attacks like Pass-the-Hash (PtH), especially in Windows 8.1, this threat has not been eliminated.
We wrote this paper with no intention of introducing new attacks or expanding on the excellent Pass-the-Hash papers over the past few years. This is a defensive guide providing a series of steps necessary to make detection achievable for the incident response team. It is wholly intended to highlight where to look and what to look for so that compromised credentials can be detected.