This note documents detection patterns related to Overpass the Hash within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4768 | Kerberos TGT request | Critical | Overpass-the-Hash converts an NTLM hash into a Kerberos TGT request. Look for unusual TGT requests originating from workstations using NTLM-derived credentials. Communication with the DC (TCP/UDP port 88) from an unusual process (e.g. Rubeus.exe) can serve as an indicator of a potential Overpass-the-Hash attack. |
| Security | 4769 | Kerberos service ticket request | High | Service ticket requests following suspicious TGT generation. |
| Security | 4624 | Successful logon | High | LogonType 3 or 9 sessions may appear when Kerberos authentication is performed using injected credentials. |
| Security | 4648 | Explicit credentials used | High | Explicit credential usage may appear when attacker initiates authentication using manipulated credential material. |
| Security | 4672 | Special privileges assigned | High | Privileged session may occur if attacker authenticates using privileged account hash. |
| Sysmon | 10 | Process accessed LSASS | Critical | LSASS access used to extract NTLM hashes prior to ticket generation. |
| Sysmon | 1 | Process creation | High | Execution of tools such as Mimikatz or Rubeus performing sekurlsa::pth or Kerberos ticket requests. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Kerberos authentication from unusual workstation | Account requesting TGT from host it normally does not use | High | Possible attacker-controlled host. |
| TGT request after LSASS memory access | Process accesses LSASS followed by Kerberos authentication | Critical | Strong indicator of credential extraction followed by Overpass-the-Hash. |
| Rapid service ticket requests after TGT issuance | Multiple 4769 events shortly after 4768 | High | Indicates attacker leveraging new Kerberos session. |
| Authentication to multiple systems quickly | Account authenticating across hosts | High | Possible lateral movement. |
| Execution of credential manipulation tools | Processes like mimikatz.exe, rubeus.exe | Critical | Direct evidence of credential abuse. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Performs Overpass-the-Hash using sekurlsa::pth to request Kerberos TGTs. |
| Rubeus | Requests Kerberos tickets using NTLM hashes. |
| Impacket | getTGT.py uses NTLM hash to request Kerberos ticket. |
| Kekeo | Kerberos manipulation toolkit. |
| Invoke-Mimikatz | PowerShell wrapper executing credential abuse techniques. |
Relevant Artifacts
- Domain controller Security logs (4768, 4769, 4624)
- Kerberos operational logs
- Sysmon logs (1, 10)
- LSASS memory artifacts
- EDR telemetry detecting credential dumping tools
- Network authentication telemetry
- Prefetch artifacts showing execution of Mimikatz or Rubeus
- Kerberos ticket cache analysis
MITRE ATT&CK References
- T1550 Use Alternate Authentication Material
- T1550.003 Pass the Ticket
- T1558 Steal or Forge Kerberos Tickets
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify Kerberos TGT request events (4768) from unusual hosts.
- What host generated the event?
- Determine workstation performing authentication.
- Is the account expected to perform this action?
- Investigate authentication patterns and workstation relationships.
- Pivot:
- Source host → inspect LSASS access events or execution of Mimikatz / Rubeus.
- Account → review privileges associated with the session.
- Network → analyze service ticket requests following TGT issuance.
- Confirm exploitation
- Determine whether NTLM hash was used to request Kerberos authentication.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4768
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
SecurityEvent
| where EventID == 4769
| summarize count() by ServiceName, TargetUserName, IpAddress, bin(TimeGenerated, 5m)
EQL
any where event.code == "4768"
Sigma
title: Suspicious Kerberos TGT Request Activity
id: overpass-the-hash-detection
status: experimental
description: Detects suspicious Kerberos ticket granting ticket requests potentially indicating Overpass-the-Hash activity
logsource:
product: windows
service: security
detection:
selection:
EventID: 4768
condition: selection
fields:
- TargetUserName
- IpAddress
falsepositives:
- Legitimate Kerberos authentication
level: medium
tags:
- attack.lateral_movement
- attack.t1550
Splunk
index=main earliest=1690443407 latest=1690443544 source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=3 dest_port=88 Image!=*lsass.exe) OR EventCode=1 | eventstats values(process) as process by process_id | where EventCode=3 | stats count by _time, Computer, dest_ip, dest_port, Image, process | fields - count
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Credential protection | Enable Credential Guard and LSASS protection | Critical | Prevents hash extraction from memory. |
| Privileged access management | Restrict usage of high privilege accounts | High | Limits value of stolen hashes. |
| Kerberos monitoring | Monitor unusual TGT requests from workstations | High | Detects abnormal authentication patterns. |
| EDR monitoring | Detect execution of credential manipulation tools | High | Stops attacker tooling early. |
| Network segmentation | Limit lateral movement across systems | High | Reduces attack impact. |