CyberArk Labs recently published a preview of research on our Threat Research Blog exploring ways to detect Pass-the-Hash (PtH) attacks using the Windows Event Viewer. As follow-up to the highly-referenced post, the Labs team has published a technical research paper with additional details on the technique. The new paper is available via downloaded here.
As a refresher, PtH is an attack technique that leverages stolen credentials. It is often used in sophisticated attacks and represents a significant risk to organizations. This technique involves an attacker stealing account credentials from one computer and using them to authenticate to other access points in a network. Instead of requiring plaintext passwords, PtH attacks allow the attacker to authenticate with password hashes and begin lateral movement in the network over the NTLM protocol.
As part of this research, the Labs Team evaluated a number of scenarios for (PtH) NTLM connections to pinpoint key indicators and to help distinguish between legitimate and illegitimate uses. Based on this exercise, the team designed an algorithm and open source tool (called Ketshash) to aid in detecting live PTH attempts. You can also watch a short demo video of Ketshash here.