New Research Paper: Pass-the-Hash Detection

February 2, 2018 Corey O'Connor

CyberArk Labs recently published a preview of research on our Threat Research Blog exploring ways to detect Pass-the-Hash (PtH) attacks using the Windows Event Viewer. As follow-up to the highly-referenced post, the Labs team has published a technical research paper with additional details on the technique. The new paper is available via downloaded here.

As a refresher, PtH is an attack technique that leverages stolen credentials. It is often used in sophisticated attacks and represents a significant risk to organizations. This technique involves an attacker stealing account credentials from one computer and using them to authenticate to other access points in a network. Instead of requiring plaintext passwords, PtH attacks allow the attacker to authenticate with password hashes and begin lateral movement in the network over the NTLM protocol.

As part of this research, the Labs Team evaluated a number of scenarios for (PtH) NTLM connections to pinpoint key indicators and to help distinguish between legitimate and illegitimate uses. Based on this exercise, the team designed an algorithm and open source tool (called Ketshash) to aid in detecting live PTH attempts. You can also watch a short demo video of Ketshash here.

Previous Article
What Super Bowl LII Ads Can Teach You about Privileged Account Security
What Super Bowl LII Ads Can Teach You about Privileged Account Security

Here are some of my favorite and least favorite ads of Super Bowl LII and the parallels between them and cy...

Next Article
How to Achieve Sustained Success for Your Privileged Account Security Program
How to Achieve Sustained Success for Your Privileged Account Security Program

The IT environments of organizations are in a continuous evolution, and PAM programs evolve with them. Read...

Gartner Names CyberArk a Leader in the 2021 Magic Quadrant for PAM

Download Now