What is a primary defense against Pass the Hash attacks?

Study for the SANS560 GIAC Penetration Tester (GPEN) Test. Study with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your exam!

Multiple Choice

What is a primary defense against Pass the Hash attacks?

Explanation:
Pass the Hash attacks rely on stolen credentials within a Windows environment to authenticate to other systems without needing the actual password. The strongest defense is to require multi-factor authentication for privileged access and to enforce the principle of least privilege by limiting administrator rights. MFA means that even if an attacker captures a hash, they still need the second factor to log in, effectively blocking the attack because possession of the hash alone no longer grants access. Limiting administrator privileges reduces the number of accounts that have elevated rights and the number of systems those accounts can reach. With fewer highly privileged accounts and tighter controls, attackers have fewer avenues to move laterally and escalate privileges after compromising a host. Options that rely on weakening or disabling defenses (like firewall changes), maintaining default admin accounts, or using weaker authentication methods (like NTLMv1) do not address the underlying risk and can even increase it, making it easier for attackers to exploit hashes.

Pass the Hash attacks rely on stolen credentials within a Windows environment to authenticate to other systems without needing the actual password. The strongest defense is to require multi-factor authentication for privileged access and to enforce the principle of least privilege by limiting administrator rights.

MFA means that even if an attacker captures a hash, they still need the second factor to log in, effectively blocking the attack because possession of the hash alone no longer grants access. Limiting administrator privileges reduces the number of accounts that have elevated rights and the number of systems those accounts can reach. With fewer highly privileged accounts and tighter controls, attackers have fewer avenues to move laterally and escalate privileges after compromising a host.

Options that rely on weakening or disabling defenses (like firewall changes), maintaining default admin accounts, or using weaker authentication methods (like NTLMv1) do not address the underlying risk and can even increase it, making it easier for attackers to exploit hashes.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy