This type of attack allows an attacker to authenticate against remote systems (usually Windows) without having the actual login credentials. Instead, the attacker obtains a (NTLM or Kerberos) hash from the compromised system and then uses this hash to authenticate against remote systems. |
While these types of attacks are difficult to detect, they can be discovered from various different angles.
EventSentry Benefits |
||
Anomaly Detection Anomaly monitoring can detect & flag unusual logon activity, e.g. logons from a previously unknown user and/or IP address. Lateral movement across the infrastructure - which is usually a symptom of a pass-the-hash attack - can be detected with collector-side threshold filters. |
||
Detection suspicious behavior with Sysmon Certain Sysmon events can detect suspicious behavior, such as attempts to get access to the lsass.exe process. |
||