Windows Pass The Hash Detection

Tracking user accounts for detecting Pass the Hash (PtH) requires creating a custom view with XML to configure more advanced filtering options. The event query language is based on XPath. The recommended **QueryList** below is limited in detecting PtH attacks. These queries focus on discovering lateral movement by an attacker using local accounts that are not part of a domain. The **QueryList** captures events that show a local account attempting to connect remotely to another machine not part of the domain. This event is a rarity so any occurrence should be treated as suspicious.These XPath queries below are used for the Event Viewer's **Custom Views**.The successful use of PtH for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the Security log. This behavior would be a **LogonType** of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account. To clearly summarize the event that is being collected, see event 4624 below.In the **QueryList** below, substitute the section with the desired domain name.A failed logon attempt when trying to move laterally using PtH would trigger an event ID 4625. This would have a **LogonType** of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account. To clearly summarize the event that is being collected, see event 4625 below.
AIS Managed SIEM

Explore our Solutions

AIS delivers a wide range of technology solutions, managed services, and consulting services that allow businesses to compete in today’s market. Whether deploying AIS solutions or other best-of-breed tools, the experienced, reliable AIS team delivers projects on time while streamlining IT services.
Headphones

AIS Labs

AIS offers a variety of technology solutions leveraging enterprise open-source software, developed and maintained by AIS engineers. These include AIS Managed Firewall, NMS, SIEM, and VoIP.

computer illustration

Managed Services

Partner with our experienced team for peace of mind when it comes to your IT needs. AIS offers proactive, ongoing IT support and maintenance, including regular monitoring, break/fix support, preventive maintenance, software upgrades and more.

Headphones

Consulting

Leverage our team of experts for on-demand consulting and project-based support. AIS can advise on and support all of your urgent and critical IT projects, from upgrades and migrations to departmental IT budgets and information security.

AIS offers top-notch security solutions to keep your business safe from potential breaches. Don't leave your data vulnerable - partner with AIS for peace of mind.

Last modified September 14, 2021