Pass-the-Hash Deception

Pass-the-Hash Deception

MazeRunner now features a whole new category of breadcrumbs, “network traffic breadcrumbs”. These breadcrumbs target threats that sniff the network to gain more credentials, as well as use other propagation techniques. In this version of MazeRunner, the first breadcrumb of this type is generated NTLM traffic, which many known tools (e.g., Responder.py) capture and use in Pass-the-Hash attacks. This breadcrumb type can take the shape of any credential type of any domain, and is a completely new approach for deceiving attackers – one that covers much more of the lateral movement arsenal.

Below is a screenshot from MazeRunner showing the alert received when an attacker picks up this type of breadcrumb, as well as a screenshot of the Responder.py output. In the below example, the network traffic breadcrumb is a printer connecting to the network; this breadcrumb is picked up by an attacker running Responder.py:

Example alert from MazeRunner

Example alert from MazeRunner when a credential that was passed in the network, by a network breadcrumb, was sniffed and used by an attacker

 

Output of the hacking tool Responder.py when sniffing the breadcrumb

Output of the hacking tool Responder.py when sniffing the breadcrumb