Download Now

First Name

Last Name

Company

Country

State

Postal Code - optional

Thank you!

Error - something went wrong!

Pass the hash detection using Windows Events

December 17, 2019

In this paper we will focus on detecting Pass-The-Hash attacks, after the credentials were stolen, via the event viewer.

Pass-The-Hash is an attack technique that allows an attacker to start lateral movement in the network over NTLM protocol, in contrary to Over Pass-The-Hash which use Kerberos protocol, without the need for the user password. We will compare between legitimate and illegitimate NTLM connections, we will show what indictors can be used to distinguish between them and what we can conclude from that to build out an algorithm to demonstrate detection of Pass-the-Hash attacks.

CyberArk Labs created a tool (Ketshash) that demonstrate the detection methods that we will talk about in this paper. This paper does not provide a 100% solution for Pass-The-Hash attack but it will show what can be done with the available tools and how to create a general view of the NTLM connections over the network.

Previous Whitepaper

Strengthening SAP Security with the CyberArk Privileged Access Security Solution

Safeguard your SAP accounts and applications enterprise-wide with CyberArk’s Core PAS Solution

Next Whitepaper

The Balancing Act: The CISO View on Improving Privileged Access Controls

Derived from interviews with an esteemed panel of Global 1000 CISOs, the report provides practical guidance...

Up Your Security I.Q. by Checking Out Our Collection of Curated Resources.

Pass the hash detection using Windows Events

Previous Whitepaper

Next Whitepaper

STAY IN TOUCH

Pass the hash detection using Windows Events

Previous Whitepaper

Next Whitepaper

Recommended for You

Learn about the many ways an enterprise browser can help bolster your security posture and improve user experience.

Learn how deploying a secure browser can help level up your identity security posture and improve workforce productivity.

Prevent browser-based threats and enable workforce productivity with an identity-centric approach to enterprise browsing.

Access peer-to-peer CISO recommendations on how to protect privileged access in a Zero Trust Model.

Dive into technical elements of CyberArk Remote Access; a SaaS offering consisting of a mobile application, cloud service and lightweight connector for remote access with no VPNs, passwords or agents.

Learn how to meet identity security compliance t to secure your critical data in an AWS cloud environment.

Learn how to evolve your PAM program to secure high-risk access in cloud and operational technology environments, while ensuring foundational PAM controls are in place.

Learn how intelligent privilege controls can help secure workforce access in complex IT environments where anyone can become a privileged user.

Learn how the CyberArk Identity Security Intelligence service helps organizations detect and respond to identity-related threats.

Learn how CyberArk’s Insight to Action framework can help secure multi-cloud environments and mitigate risk.

Zero Trust meets global data and technological needs. Know how to build trust and confidence when granting access based on work requirements.

Learn how CyberArk Secrets Manager and the CyberArk Identity Security Platform can help federal agencies secure human and non-human identities.

Learn how to meet identity security compliance in the cloud to secure your critical data in a multi-cloud environment.

Overcome web application vulnerabilities with consistent controls that lets you monitor user activities in high-risk apps down to every click.

Learn about endpoint privilege security for Linux and Windows servers.

Learn how to secure access for your workforce and third parties by removing barriers to visibility, effective controls and efficiency.

PwC and CyberArk best practices to reexamine IoT systems security solutions and practices to limit exposure and satisfy new regulatory requirements.

A modern approach to enforcing least privilege across the enterprise

This whitepaper explains the unique challenges security teams face when securing credentials and CyberArk’s recommended three-phase approach.

This whitepaper explains why it’s important to secure IoT and OT devices and shows how CyberArk can help.