Pass The Hash Detection With Windows Event Viewer PDF 1690757914
Pass The Hash Detection With Windows Event Viewer PDF 1690757914
www.cyberark.com
CYBER ARK L ABS RESEARCH
Table of Contents
Figures..............................................................................................................................................................................3
Tables................................................................................................................................................................................4
Finding an anchor...........................................................................................................................................................5
NTLM connections overview........................................................................................................................ 6
Environment........................................................................................................................................... 6
Legitimate NTLM connections examples....................................................................................................7
RDP via NTLM connection with domain admin account................................................................7
Mount administrative share via NTLM with domain admin account.......................................... 9
Illegitimate NTLM connections examples..................................................................................................11
Pth-Winexe from Kali to Windows 10................................................................................................11
Mounting administrative network share with Mimikatz from Windows 10 to Windows 7... 12
Mounting administrative share from Windows 7 to Windows 10 with WCE............................16
Identifying legitimate NTLM connections................................................................................................ 18
Privileged NTLM connections......................................................................................................................19
Putting the pieces together.......................................................................................................................................19
A proposed alogrithm...................................................................................................................................19
Flow diagram.................................................................................................................................................. 21
Advantages......................................................................................................................................................22
Disadvantages................................................................................................................................................22
Things to keep in mind.................................................................................................................................22
Timing is everything............................................................................................................................22
Sabotaging the event viewer.............................................................................................................23
Summary........................................................................................................................................................................23
References.....................................................................................................................................................................23
www.cyberark.com Page 2 of 23
CYBER ARK L ABS RESEARCH
Figures
Figure 1 Event Properties: Event 4624...................................................................................................................5
Figure 2 RDP via NTLM Simulation diagram........................................................................................................ 8
Figure 3 Mount Share Simulation diagram.......................................................................................................... 9
Figure 4 PTH-Winexe Simulation Diagrahm........................................................................................................11
Figure 5 Passing the hash with Pth-winexe.........................................................................................................11
Figure 6 Event ID 4672 indicates a privileged session initiation on the target machine............................11
Figure 7 Mimikatz Simulation diagram................................................................................................................ 12
Figure 8 Passing the hash with Mimikatz............................................................................................................ 12
Figure 9 Compare between Event ID 4624: Windows 7 Event viewer- vs - Windows 10 Event viewer... 13
Figure 10 Event ID 303 indicates a credentials use.............................................................................................. 13
Figure 11 Mimikatz use of CreateProcessWithLogonW...................................................................................... 14
Figure 12 Ruas /netonly use of CreateProcessWithLogonW............................................................................. 14
Figure 13 Event ID 4656 indicates writing to LSASS memory............................................................................ 15
Figure 14 Mounting Administrative Share Simulation Diagram.......................................................................16
Figure 15 Passing the hash with Windows Credentials Editor..........................................................................16
Figure 16 WCE service creation log......................................................................................................................... 17
Figure 17 WCE with two instances on Process Explorer..................................................................................... 17
Figure 18 Logon session transferred through the pipeline................................................................................ 17
Figure 19 LSASS.exe loads wceaux.dll..................................................................................................................... 17
Figure 20 Events ID 4768 and 4769.......................................................................................................................... 18
Figure 21 Correlating Events 4624 and 4672 by TargetLogonId and SubjectLogonId....................................19
Figure 22 Example for diagram based on section 4.............................................................................................22
www.cyberark.com Page 3 of 23
CYBER ARK L ABS RESEARCH
Tables
Table 1 Microsoft Logon Types..................................................................................................................................7
Table 2 Event 4648 on the source machine (MARS-10)........................................................................................ 8
Table 3 Event ID 4776 on the domain controller................................................................................................... 8
Table 4 Event ID 4672 indicates a privileged session initiation on the target machine (MARS-7).............. 9
Table 5 Events ID 4648 and 4624 on the source machine (MARS-10)...............................................................10
Table 6 Events ID 4768 and 4769 indicate a Kerberos authentication on the domain controller..............10
Table 7 Event ID 4624 with logon type 9 (“NewCredentials”)............................................................................ 14
Table 8 Event ID 4776 on the domain controller.................................................................................................. 15
Table 9 Event ID 4672 indicates a privileged session initiation on the target machine (MARS-7)............. 15
Table 10 Event ID 4776 on the domain controller.................................................................................................. 18
Table 11 Event ID 4672 indicates a privileged session initiation on the target machine (MARS-10)........... 18
www.cyberark.com Page 4 of 23
CYBER ARK L ABS RESEARCH
Finding an anchor
Once an attacker steals user’s credentials, he can use it to open new session on the current computer or on a remote computer (if the stolen
account has permissions on this computer). When he starts lateral movement over the network one of two protocols will be in use: NTLM (Pass-
The-Hash) or Kerberos (Over Pass-The-Hash). Our focus is on Pass-the-Hash, therefore we will cover only connections over NTLM protocol.
Pass-The-Hash is a bit more difficult to detect comparing to Over Pass-The-Hash as their Indicators of Compromises (IOCs) are more subtle.
Information related to Over Pass-The-Hash can be found here (by Benjamin Delpy) and here (by Nikhil Mittal).
One of the triggers to use NTLM protocol is when a client authenticates to a server using IP address. This is the “anchor” that can be used to
detect Pass-The-Hash attack over the network – NTLM connections. NTLM connections can be identified by monitoring events ID 4624
(“An account was successfully logged on”) with logon type 3 (“A user or computer logged on to this computer from the network”) and NTLM
authentication package NTLM (or by logon process name NtLmSsp) which indicates the use of NTLM protocol for the authentication. See
Figure 1 below for example.
www.cyberark.com Page 5 of 23
CYBER ARK L ABS RESEARCH
NTLM connections could also be detected by monitoring network traffic. Although NTLM authentication is an old authentication method and
most of the authentications in the organizations today are based on Kerberos, some applications are still using it and according to Microsoft:
NTLM authentication is still supported and must be used for Windows authentication with
systems configured as a member of a workgroup. NTLM authentication is also used for local
logon authentication on non-domain controllers. Kerberos version 5 authentication is the
preferred authentication method for Active Directory environments, but a non-Microsoft or
Microsoft application might still use NTLM.
Users:
• Student1 (standard user)
• Local_admin (local administrator)
• Legit1, legit2, bad1, bad2 and bad3 (domain admin users)
www.cyberark.com Page 6 of 23
CYBER ARK L ABS RESEARCH
Tools:
• M imikatz
• P th-winexe – part of Kali’s built-in tools
• Windows Credentials Editor (WCE)
• Invoke-Smbclient
Events map:
• 4768 - A Kerberos authentication ticket (TGT) was requested
• 4769 - A Kerberos service ticket was requested
• 4648 - A logon was attempted using explicit credentials
• 4672 - Special privileges assigned to new logon
• 4624 - An account was successfully logged on
• *4776 - The computer attempted to validate the credentials for an account. It is generated when the domain controller successfully
authenticates a user via NTLM
* In all the examples where event 4776 was displayed, the authentication package was: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
www.cyberark.com Page 7 of 23
CYBER ARK L ABS RESEARCH
To simulate such scenario, we used the non-privileged account student1 and the privileged account legit1 in the following way:
Our user, student1 is logged on to MARS-10 and connects via RDP to MARS-7 by entering MARS-7’s IP address with the domain admin account
legit1. When our user, student1 inserts legit1 credentials to escalate privileges and execute the task, event ID 4648 will be generated on the
source machine (MARS-10) indicating explicit usage of credentials. The event indicates that credentials were inserted interactively (it doesn’t
have to be at the same time, e.g. password inserted to privileged scheduled task) by the user, which in other words mean that the current user
has knowledge of the clear text password.
Target Domain
Subject User Sid
Code Name Target machine Process name Subject Logon ID Time seq.
(resolved)
\Target User Name
4648 CYBER\student1 CYBER\legit1 MARS-7.cyber.com C:\Windows\System32\ 0x2a9a2 #1
LSASS.exe
As the new credentials used by student1 are domain credentials, the domain controller receives the authentication request, originating from
target machine (MARS-7), which initiates the authentication process in the NTLM authentication scheme. The NTLM authentication attempt is
registered as event ID 4776 on the domain controller.
Target Domain
Name
Code Workstation Time seq.
\Target User
Name
4776 legit1 MARS-10 #4
As soon as the privileged account, legit1, is granted privileged access to the target machine (MARS-7), event ID 4672 is generated, indicating an
initiation of a privileged session on the target machine.
www.cyberark.com Page 8 of 23
CYBER ARK L ABS RESEARCH
Table 4. Event ID 4672 indicates a privileged session initiation on the target machine (MARS-7)
In this scenario, of NTLM based RDP connection, the 4648 event is the most significant indication of a legitimate connection and
authentication. In case of credentials theft and utilization of Pass-The-Hash, the malicious actor might have access to the password hash
only. Therefore, when the credentials will be used or injected into a new or existing session, event 4648 might be absent and so exposing the
potentially malicious activity.
To simulate this scenario, we used the non-privileged account student1 and the privileged account legit1 in the following way:
student1 is logged on to MARS-10, he is using the Run as different user option to open an elevated command line interface (CLI) by providing a
privileged account legit2’s credentials and mounts an administrative network share.
* Notice to the difference between right clicking on a file and choosing Run as different user to Run as administrator.
Run as administrator might validate the password, in some scenarios, with the cached passwords on the machine and therefore there will be no
related events on the domain controller. In such cases all 4624 events will be assigned logon type 11.
When our user, student1 inserts legit1 credentials to escalate privileges and open the CLI, events ID 4648 and 4624 with logon type 2
(Interactive) will be generated on the source machine (MARS-10). Event ID 4648 was already mentioned in the previous example but the new
event ID 4624 with logon type 2 (Interactive) is also an indication that credentials were inserted interactively by the user.
www.cyberark.com Page 9 of 23
CYBER ARK L ABS RESEARCH
Process
Subject Target Domain Authentication Subject Target
Workstation Logon Name\ Time
Code User Sid Name Package Logon Logon
Name Type Target seq.
(resolved) \Target User Name Name ID ID
machine
4648 CYBER\ CYBER\legit2 C:\ 0x2a9a2 #1
student1 Windows\
System32\
consent.exe
localhost
4624 S-1-0-0 CYBER\legit2 MARS-10 2 Negotiate 0x2a9a2 0x86747e #2
4672 CYBER\ 0x86747e #3
legit2
The domain controller receives this authentication request by the user legit2 from the target machine (MARS-7) but unlike the previous
example, this time it initiates a Kerberos authentication. The Kerberos authentication is registered as evens ID 4768 and 4769 on the domain
controller.
Table 6. Events ID 4768 and 4769 indicate a Kerberos authentication on the domain controller
Once the privileged account, legit2, is mounting the administrative share, event ID 4672 is generated, indicating an initiation of a privileged
session on the target machine (MARS-7).
Table 2-3. Event ID 4672 indicates a privileged session initiation on the target machine (MARS-7)
In this scenario, of mounting administrative share, a new events ID 4624 with logon type 2, event 4768 and 4769 are another strong indication
of a legitimate connection and authentication. We also had event ID 4648 but in some scenarios, like unlocking the workstation, we will have
only event ID 4624 on the source machine (MARS-10) and events 4768 & 4769 on the domain controller.
www.cyberark.com Page 10 of 23
CYBER ARK L ABS RESEARCH
To simulate such a scenario, we used Kali’s user root and the hash of a privileged account bad1 in the following way:
root is logged on to Kali and pass the hash of the privileged account bad1 to the tool pth-winexe together with the MARS-10’s IP and create a
reverse shell to MARS-10.
Kali is a Linux distribution used as the source machine in this scenario and there are no logs on this machine.
After the user root executed pth-winexe, event 4672 is generated, indicating an initiation of a privileged session on the target machine
(MARS-10).
* 4674 – “An operation was attempted on a privileged object.” Only when enabling the security option “Audit: Audit the use of Backup and
Restore privilege”.
www.cyberark.com Page 11 of 23
CYBER ARK L ABS RESEARCH
Target User
Code Workstation IP Address Time seq.
Name
4776 bad1 KALI #4
The tool pth-winexe is used as SMB client that installs the service winexesvc which creates a reverse shell. Similar tools for Windows can be found
in the project Invoke-TheHash wrote by Kevin Robertson. One tool, the Invoke-SMBClient, is used as a SMB client and when running it on a
Windows machine no logs are generated, only on the target. Because it is used as SMB client it doesn’t need to write anything to LSASS.exe and
no logon session is created on the source machine.
In this illegitimate scenario, passing the hash with implemented SMB client, there are no indications for a legitimate connection and therefore we
will detect it as a suspicious connection.
To simulate such a scenario, we used the non-privileged account student1, privileged local account local_admin and privileged domain account
bad2 in the following way:
student1 is logged on to MARS-10, he is using Mimikatz, with local administrator account local_admin, to pass the hash of privileged account bad2
in order to open an elevated command line interface (CLI). Then he mounts an administrative share by entering MARS-7’s IP address.
www.cyberark.com Page 12 of 23
CYBER ARK L ABS RESEARCH
When our user, local_admin used the privileged account’s hash bad2 to execute Pass-The-Hash attack and create the elevated CLI, event ID 4624
with logon type 9 (NewCredentials) will be generated on the source machine (MARS-10), indicating that a new logon session with two accounts
has been created, the primary account (local_admin) is for local identity and the secondary (bad2) is for other network connections. The event
could be a good indicator but it has number of drawbacks. The first drawback is that the same scenario on Windows 7 as the source machine has
different results. The account (bad2) of the stolen hash is missing as depicted in the windows event captures in figure 9 (Win7 vs Win10).
Figure 9. Compare between Event ID 4624: Windows 7 Event viewer- vs - Windows 10 Event viewer
A workaround for this can be by enabling “Microsoft-Windows-LSA/Operational” (disabled by default). Once event 4624 with logon type 9
occurred, at the same time ID 303 should appear:
Another issue that came up is the gap of times between executing new logon session with Mimikatz to mounting administrative share. How much
time backwards to look for event 4624 with logon type 9? Setting a constant time is not the best solution because it can cause false positive or
false negative depending on the time that was set. For example, searching for event 4624 with logon type 9 one hour backward can cause false
negative when the attacker waited two hours after opening the logon session and then executed commands on the remote machine.
Another option can be by creating a correlation. Once NTLM event was detected, searching on the source machine for event 4648 (with
process id 0x4) at almost the same time (3-5 seconds before the NTLM event). Taking the SubjectLogonId’s value and search if there is
an event 4624 (logon type 9) with the same value on the TargetLogonId variable. More generic approach will be to search for event 4648
with process id 0x4 at almost the same time of the NTLM event and mark it as illegitimate. It also possible to do it opposite and search for event
4648 without process id 0x4 and mark it as legitimate.
With all these suggestions, we need to recall that logon type 9 was not created especially for Mimikatz. It was used for applications that needed
to work with different set of credentials locally than they do it remotely.
www.cyberark.com Page 13 of 23
CYBER ARK L ABS RESEARCH
Mimikatz is using CreateProcessWithLogonW which together with the argument LOGON _ NETCREDENTIALS _ ONLY is generating
event 4624 with logon type 9.
An example for legitimate event 4624 with logon type 9 is the use of runas /netonly which acts similar to Mimikatz with the only exception that it
doesn’t change the logon session in LSASS.exe and doesn’t use the CREATE _ SUSPENDED argument:
After mounting the administrative share from the CLI, event ID 4648 will be generated on the source machine (MARS-10) indicating an explicit
usage of credentials although no one entered new credentials. This is because the action of mounting an administrative share is a network task
and because the logon session type is 9 (NewCredentials), it used its secondary account for this task which cause this event.
Process
Target Out-
Target Domain Worksta- name ma-
Subject bound Domain Auth. Subject Target
Name tion Logon chine \ Time
Code User Sid Name \Target Package Logon Logon
\Target User Name Type Target seq.
(resolved) Outbound User Name ID ID
Name Server
Name
Name
4624 MARS-10\ MARS-10\lo- CYBER\bad2 MARS-10 9 Negotiate C:\Windows\ 0x908C4E 0x917291 #1
local_admin cal_admin System32\
svchost.exe
4672 MARS-10\ 0x917291 #2
local_admin
*4656 MARS-10\ 0x908C4E #3
local_admin
After mounting the network share
4648 MARS-10\ CYBER\bad2 SYSTEM 0x917291 #4
local_admin (PID 4)
MARS-7.
cyber.com
www.cyberark.com Page 14 of 23
CYBER ARK L ABS RESEARCH
* This event will appear only if auditing on object has been enabled.
With event 4656 we can see writing to LSASS.exe memory and get more accurate detection:
This new information is applying to Windows 10 and Server 2016 and more information can be found here.
Same as in previous scenarios, the NTLM authentication attempt is registered as event ID 4776 on the domain controller.
As soon as the privileged account, bad2, is granted privileged access to the target machine (MARS-7), event ID 4672 is generated, indicating an
initiation of a privileged session on the target machine (MARS-7).
Authentication
Subject Target Domain Subject Target
Workstation Logon Package
Code User Sid Name Logon Logon Time seq.
Name Type Name
(resolved) \Target User Name ID ID
4672 CYBER\bad2 0x11fca08 #5
4624 S-1-0-0 CYBER\bad2 MARS-10 3 NTLM 0x0 0x11fca08 #6
Table 9. Event ID 4672 indicates a privileged session initiation on the target machine (MARS-7)
www.cyberark.com Page 15 of 23
CYBER ARK L ABS RESEARCH
In this scenario, the event ID 4624 with logon type 9 is the most significant indication for the use of Mimikatz. But legitimate applications can
also generate this event and therefore false positive can occurred.
student1 is logged on to MARS-7, he is using WCE, with local administrator account local_admin, to pass the hash of privileged account bad3 to
the current logon session. Then he mounts an administrative share by entering MARS-10’s IP address.
This scenario doesn’t generate any trace logs on the security logs of the source machine (MARS-7). There are only new logs in the system events
that indicates that a new service was created.
When we used Mimikatz to inject the hash into LSASS.exe memory and create new command line interface (CLI), logon event 4624 logon type
9 was generated. This is not the case when WCE (Windows Credentials Editor) is considered.
WCE doesn’t use CreateProcessWithLogonW (although it has a call to this function in its code) in contrary to Mimikatz as we saw in the
previous scenario.
www.cyberark.com Page 16 of 23
CYBER ARK L ABS RESEARCH
The service has higher (SYSTEM) integrity over the process (High):
The process is sending the logon session information through pipe \\.\pipe\WCEServicePipe to the service:
The service unpacks a binary resource named wceaux.dll. It injects the DLL to LSASS.exe
www.cyberark.com Page 17 of 23
CYBER ARK L ABS RESEARCH
Then it uses the exported function WCEAddNTLMCredentials to change the logon session in LSASS.exe. At the time of writing this article,
WCE doesn’t support Windows 10. It supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit
versions). Same as in previous scenarios, the NTLM authentication attempt is registered as event ID 4776 on the domain controller.
As soon as the privileged account, bad3, is granted privileged access to the target machine (MARS-10), event ID 4672 is generated, indicating
the initiation of a privileged session on the target machine (MARS-10).
Table 11. Event ID 4672 indicates a privileged session initiation on the target machine (MARS-10)
In this scenario, of using WCE to pass the hash, there was no indication for a legitimate nor illegitimate connection by the user bad3. In such
case we will detect it as a suspicious connection.
www.cyberark.com Page 18 of 23
CYBER ARK L ABS RESEARCH
Notice that events 4768 and 4769 can be used instead of event 4624 and vice versa to identify a legitimate logon. The difference between
them is that 4768 and 4769 are generated on the domain controller while event 4624 is generated on the source machine.
Furthermore, checking to see if the user is privileged based on their membership in an AD group is not enough. There is a possible scenario were
accounts are not part of any privileged AD group but have local administrator permissions on the target machine.
Creating correlation between the NTLM event (4624) to event 4672 is possible by checking that event 4624’s TargetLogonId is the same
as in event 4672’s SubjectLogonId.
Figure 21. Correlating Events 4624 and 4672 by TargetLogonId and SubjectLogonId
www.cyberark.com Page 19 of 23
CYBER ARK L ABS RESEARCH
5. If the account from NTLM event generated logon event 4624 (with logon types 2,7, 10 or 11) from the source machine X hours before the
NTLM event => mark as legitimate
6. If the account from NTLM event generated event 4648 (explicit credential use) without process id 0x4 from the source machine Y
seconds before the NTLM event => mark as legitimate
7. Everything else => mark as suspicious
Notes:
• Choosing between sections 4 and 5, will be the same as both of them deserve the same goal. It is preferred to use section 5 because it
removes the dependency on getting the logs from a third machine - domain controller and anyway there is a need to check event 4648 on
the source machine.
• S ection 6 cannot replace 4 and 5 because there are scenarios when a privileged account is logged on interactively and connects to a
remote machine over NTLM. In this case event 4648 won’t appear.
• S ection 3 is optional and will cause constant false positive for applications that generates event 4624 with logon type 9. Section 6 already
covers section 3.
• A ny change to the X and Y variables will change the level of false positive and false negative.
The more X or Y will increase, less false positive and more false negative events will appear.
The more X or Y will decrease, more false positive and less false negative events will appear.
To illustrate the principals of this research, CyberArk Labs has release a new tool that implements the detections described in this research
paper in a tool called – Ketshash.
www.cyberark.com Page 20 of 23
CYBER ARK L ABS RESEARCH
Flow diagram
www.cyberark.com Page 21 of 23
CYBER ARK L ABS RESEARCH
Advantages
• Covers all pass the hash attacks over the network
Disadvantages
• T here is a gap that can lead to false negative or false positive, depending on the time that was set to check the legitimate logon events
(4768, 4769, 4624 and 4648)
• Simulating legitimate events, such as creating privileged scheduled tasks with Pass-The-Hash which will generated event 4648, before the
NTLM event can cause false negative
• Requires to be able to get logs from endpoints in the organization
• Requires for the involved machines to be synchronized on time
This is just one example on how to put this research into a detection approach for Pass-the-hash. More variants of this algorithm are possible
with the research supplied.
If there are too many false positives it is possible to monitor only sensitive machines for NTLM connections and reduce the false positives. It is
important to understand that although false positive events might appear, they are still NTLM connections. The NTLM protocol has been
exposed to large amount of attacks over the years and it is recommended to use Kerberos authentication instead, as Microsoft mentioned here:
The Microsoft Kerberos security package adds greater security than NTLM to systems on a network.
Timing is everything
Timing is very important when creating correlations between the events. Machines with even the slightest asynchrony time between them can
affect the results.
One example:
A Legitimate NTLM event occurred on the target machine via NTLM at 15:55 after the user logged in at 16:00 on the source machine. In such
cases, when searching for the legitimate logons prior to 15:55, no legitimate event will be found, producing a false negative alert.
One way to resolve this is to check the time of the source and the target machines in parallel (to prevent possible delays) and adjust one of
them to the time of the other. Following our example, checking first the time difference between the source and the target yields -5. Therefore,
searching for a legitimate logon should start from target machine’s current time (15:55) + 5 minutes which is 16:00 on the source machine.
It also should be noted that even the time check itself might suffer from time delay. Checking the time on a machine can take time and
therefore it should be measured in order to remove the overhead. For example, two machines that are synchronized, might be considered
unsynchronized if on one machine, the time check takes 5 seconds.
In a perfect world, we would expect that all the machines will be synchronized by a time service and therefore be synchronized to the same time
but this is often not the case in reality, machines are not always synchronized with the same time. It was also mentioned by Microsoft that it is
possible for two computers to be often out of sync.
www.cyberark.com Page 22 of 23
CYBER ARK L ABS RESEARCH
Stopping from event viewer to generate logs or hide them on the source machine will still be detected as illegitimate connection because without
logs on the source machine it is not possible to mark the connection as legitimate.
A more concerning issue can be when the attacker is familiar with the detection algorithm and edits the logs on the source machine to look like a
legitimate logon. In such case, the use of Kerberos events on the domain controller can have an advantage.
Another problem is when the attacker succeeds to hide the NTLM events (event 4624, logon type 3) on the target machine. In order to
sabotage the logs, the attacker will need to connect the machine by NTLM connection which will generate a NTLM event. Forwarding the logs
once they are generated can detect the NTLM connection before they are sabotaged.
Summary
This paper documented a way to detect suspicious NTLM connections in general and pass the hash in particular. A key recommendation to do
this detection is to get the logs from the source machine. By changing some filtering parameters such as time, accounts (only privileged) and
machines (only sensitive to the organization) the company wants to monitor, it is possible to reduce many false positives. All other detections
that turn out to be false positives should warrant a check and determination if it is possible to change the authentication method to a more
secure one.
We used an approach that requires to connect the machines directly, and while the mechanism to get the logs is out of scope for this research, it is worth
noting that another approach could be by forwarding all the event logs to one place (like WEF server) which has its own advantages and disadvantages.
In the end, understanding the overall picture of NTLM connections, in particular privileged connections, in an organization can help be a catalyst
for change to a more secure connection strategy and prevention of future attacks.
References
https://blogs.msdn.microsoft.com/chiranth/2013/09/20/ntlm-want-to-know-how-it-works/
https://support.microsoft.com/en-us/help/322979/kerberos-is-not-used-when-you-connect-to-smb-shares-by-using-ip-addres
https://www.sans.org/reading-room/whitepapers/testing/crack-pass-hash-33219
https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283
https://www.blackhat.com/docs/us-14/materials/us-14-Hathaway-Why-You-Need-To-Detect-More-Than-PtH-WP.pdf
http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day2.html
http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash
https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don’t-Get-It-wp.pdf
©Copyright 1999-2018 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of
CyberArk Software. CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and
other jurisdictions. Any other trade and service names are the property of their respective owners. U.S., 01.18. 205301743
CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is subject
to change without notice.
THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED,
INCLUDING WARRANTY OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE. IN NO EVENT SHALL CYBERARK
BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND IN PARTICULAR CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR
INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR LOSS OF USE, COST OF REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA
ARISING FROM USE OF OR IN RELIANCE ON THIS PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
www.cyberark.com Page 23 of 23