Detecting Pass The Hash with Sysmon

Detecting Pass The Hash (PtH) Attacks with Sysmon

Pass the Hash (PtH) attacks exploit the ability to authenticate using stolen NTLM hashes instead of plaintext passwords. Detecting such attacks requires focused monitoring of system behaviors using both Windows Event Logs and Sysmon.

1. How PtH Attacks Work

Steps in a PtH Attack:

  1. Initial Access: The attacker gains a foothold using phishing or exploits.

  2. Hash Extraction: Tools like Mimikatz extract NTLM hashes from lsass.exe.

  3. Lateral Movement: The attacker uses tools like PsExec, wmiexec, or Metasploit to authenticate with the stolen hash across the network.

2. Detection Techniques

A. Event Log Analysis

Key Event ID: 4624 (Successful Login)

Focus on Security Logs to identify unusual authentication behavior:

  • Logon Type = 3: Indicates network logon (used for lateral movement).

  • Logon Process = NtLmSsP: Indicates NTLM authentication.

  • Key Length = 0: Signals that a hash, not a password, was used.

  • Security ID = NULL SID: Often associated with unauthorized hash-based logons.

  • Workstation Name: Check for unexpected or random workstation names.

Indicators of PtH in Event Viewer:

Event ID: 4624
Logon Type: 3
Logon Process: NtLmSsP
Key Length: 0
Workstation Name: RANDOM-HOST

B. Sysmon Detection Configuration

Sysmon provides granular visibility into process and access events. Below are essential configurations for PtH detection:

1. Monitoring PsExec and Related Tools

Track tools frequently used for lateral movement:

<RuleGroup name="Detect PsExec and Lateral Tools" groupRelation="or">
  <ProcessCreate onmatch="include">
    <Image condition="contains">psexec</Image>
    <Image condition="contains">wmiexec</Image>
  </ProcessCreate>
</RuleGroup>

2. Detecting Unauthorized lsass.exe Access

Monitor attempts to read memory from lsass.exe, often targeted for hash extraction:

<RuleGroup name="Detect Lsass Access" groupRelation="or">
  <ProcessAccess onmatch="include">
    <TargetImage condition="contains">lsass.exe</TargetImage>
    <GrantedAccess condition="contains">PROCESS_VM_READ</GrantedAccess>
  </ProcessAccess>
</RuleGroup>

3. Suspicious Process Creations Post-Exploitation

Detect command executions originating from compromised processes:

<RuleGroup name="Detect Suspicious Process Creation" groupRelation="or">
  <ProcessCreate onmatch="include">
    <ParentImage condition="contains">lsass.exe</ParentImage>
    <Image condition="contains">cmd.exe</Image>
  </ProcessCreate>
</RuleGroup>

4. Sample Sysmon Logs for PtH Detection

Sysmon Event ID 1 (Process Create)

Detect suspicious child processes spawned from critical system processes:

Event ID: 1
RuleName: Detect Suspicious Process Creation
UtcTime: 2024-11-12T10:23:45.123Z
Image: C:\Windows\System32\cmd.exe
ParentImage: C:\Windows\System32\lsass.exe

Sysmon Event ID 10 (Process Access)

Identify processes accessing lsass.exe:

Event ID: 10
RuleName: Detect Lsass Access
UtcTime: 2024-11-12T10:21:34.567Z
SourceImage: C:\Tools\Mimikatz.exe
TargetImage: C:\Windows\System32\lsass.exe
GrantedAccess: PROCESS_VM_READ

5. Best Practices for Mitigating PtH Attacks

  1. Enforce Least Privilege:

    • Limit administrative access to reduce exposure.

    • Use Just-In-Time (JIT) administration to grant temporary privileges.

  2. Enable Credential Guard:

    • Protect lsass.exe from unauthorized memory access.

    • Prevent hash extraction even if lsass.exe is targeted.

  3. Monitor Logs Continuously:

    • Leverage SIEM tools to aggregate and analyze Event Viewer and Sysmon logs in real-time.

    • Set alerts for specific Sysmon events indicating PtH activity.

  4. Disable NTLM Authentication:

    • Migrate to Kerberos wherever possible to eliminate NTLM's inherent vulnerabilities.

  5. Apply Network Segmentation:

    • Isolate sensitive systems to limit lateral movement opportunities.

Key Points

By combining Event Viewer’s 4624 logs with Sysmon’s granular process and memory monitoring, defenders can effectively detect Pass the Hash attacks. With a robust Sysmon configuration and continuous monitoring, security teams can quickly identify and mitigate such threats.

PreviousDetecting Mimikatz with SysmonNextDetecting Privilege Escalation with Sysmon

Last updated