Learn how an attacker used Mimikatz to perform a pass-the-hash attack and gain unauthorized access to a hardened PC on a corporate domain. Discover how shared accounts can be exploited.
Table of Contents
Question
An organization experienced a security breach that allowed an attacker to send fraudulent wire transfers from a hardened PC exclusively to the attacker’s bank through remote connections. A security analyst is creating a timeline of events and has found a different PC on the network containing malware. Upon reviewing the command history, the analyst finds the following:
PS>.\mimikatz.exe “sekurlsa::pth /user:localadmin /domain:corp-domain.com /ntlm:B4B9B02E1F29A3CF193EAB28C8D617D3F327
Which of the following best describes how the attacker gained access to the hardened PC?
A. The attacker created fileless malware that was hosted by the banking platform.
B. The attacker performed a pass-the-hash attack using a shared support account.
C. The attacker utilized living-off-the-land binaries to evade endpoint detection and response software.
D. The attacker socially engineered the accountant into performing bad transfers.
Answer
B. The attacker performed a pass-the-hash attack using a shared support account.
Explanation
Based on the command history found by the security analyst, the attacker used the Mimikatz tool to perform a pass-the-hash attack. Specifically, the attacker leveraged the “sekurlsa::pth” command in Mimikatz to impersonate the “localadmin” account on the “corp-domain.com” domain using the NTLM hash “B4B9B02E1F29A3CF193EAB28C8D617D3F327”.
In a pass-the-hash attack, an attacker obtains the NTLM hash of a user’s password rather than the plaintext password itself. The attacker can then use this hash to authenticate as that user without knowing their actual password.
The “localadmin” account appears to be a shared support account on the corporate domain. The attacker likely compromised this account’s NTLM hash from another machine on the network that had malware running on it. Using Mimikatz, the attacker was then able to impersonate the “localadmin” account and gain unauthorized access to the hardened PC.
Shared accounts like “localadmin” are often targeted by attackers because they provide a single point of failure. If compromised, a shared account grants the attacker access to all systems where that account is used.
To mitigate pass-the-hash attacks, organizations should:
- Avoid using shared accounts and enforce strict access controls
- Implement strong password policies and regularly rotate passwords
- Enable multi-factor authentication wherever possible
- Limit admin privileges and practice the principle of least privilege
In summary, the attacker was able to breach the hardened PC by performing a pass-the-hash attack using a compromised shared “localadmin” account. Mimikatz allowed the attacker to impersonate this account with just the NTLM hash, granting them unauthorized access.
CompTIA SY0-701 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the CompTIA SY0-701 exam and earn CompTIA SY0-701 certification.