×

Download Now

First Name
Last Name
Company
Country
State
Postal Code - optional
Thank you!
Error - something went wrong!
   

Pass the hash detection using Windows Events

December 17, 2019

In this paper we will focus on detecting Pass-The-Hash attacks, after the credentials were stolen, via the event viewer.

Pass-The-Hash is an attack technique that allows an attacker to start lateral movement in the network over NTLM protocol, in contrary to Over Pass-The-Hash which use Kerberos protocol, without the need for the user password. We will compare between legitimate and illegitimate NTLM connections, we will show what indictors can be used to distinguish between them and what we can conclude from that to build out an algorithm to demonstrate detection of Pass-the-Hash attacks.

CyberArk Labs created a tool (Ketshash) that demonstrate the detection methods that we will talk about in this paper. This paper does not provide a 100% solution for Pass-The-Hash attack but it will show what can be done with the available tools and how to create a general view of the NTLM connections over the network.

Previous Whitepaper
Strengthening SAP Security with the CyberArk Privileged Access Security Solution
Strengthening SAP Security with the CyberArk Privileged Access Security Solution

Safeguard your SAP accounts and applications enterprise-wide with CyberArk’s Core PAS Solution

Next Whitepaper
The Balancing Act: The CISO View on Improving Privileged Access Controls
The Balancing Act: The CISO View on Improving Privileged Access Controls

Derived from interviews with an esteemed panel of Global 1000 CISOs, the report provides practical guidance...