none
Pass the Hash simulation no longer working RRS feed

  • Question

  • Hi,

    Last week I successfully simulated "Pass the hash" in my environment using mimikatz.

    However, using back the same machine, same ID, and same method, it just don't work now.

    DNS Reconnaissance, Directory Reconnaissance, LDAP binding all can detect. 

    Any idea why?

    Regards,

    Hau

    Monday, March 27, 2017 4:25 PM

All replies

  • Hello Hau,

    How did you handle the original alert, did you mark it resolved, or dismissed? 

    If you dismiss this alert, you may not get the alert once the same attack occurs again from the same source.

    In addition, have you ever tried this attack from  another computer?

    I'll try it in the lab, and give you a feedback later.


    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 28, 2017 10:10 AM
    Moderator
  • I resolved the alert. I never dismissed any alert.

    I have tried it with another computer, I've also tried it with different admin (victim) to dir the domain controller. 

    Regards,

    Hau


    • Edited by kwokhauMVP Tuesday, March 28, 2017 10:10 PM
    Tuesday, March 28, 2017 9:51 PM
  • Hello,

    I can receive the second alert for "Pass the hash", but I waited for around 40 ~ 60 minutes after I executed the command.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 31, 2017 5:16 AM
    Moderator
  • Andy,

    What do you use to simulate these attacks?

    Thanks,

    -Chris

    Wednesday, May 17, 2017 7:18 PM
  • Hello Chris,

    I simulated these attacks by following the procedures described in ATA playbook.

    More details about ATA playbook, please refer to the following article.

    https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/ata-attack-simulation-playbook

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 19, 2017 9:04 AM
    Moderator