This note documents detection patterns related to Pass the Hash within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Critical | LogonType 3 (network) often appears when NTLM authentication is performed using a stolen hash. Also LogonType 9 (NewCredentials) with LogonProcess=seclogo is a strong indicator of alternate credentials |
| Security | 4625 | Failed logon | Medium | Repeated failed NTLM logons may occur during hash validation attempts. |
| Security | 4648 | Explicit credentials used | High | May appear if attacker attempts credential-based authentication prior to hash reuse. |
| Security | 4776 | NTLM authentication | Critical | Key event for Pass the Hash detection. Review WorkstationName, TargetUserName, and AuthenticationPackage. |
| Security | 4672 | Special privileges assigned | High | Privileged session established after successful hash authentication. |
| Sysmon | 10 | Process accessed LSASS | Critical | Access to LSASS memory to extract password hashes. |
| Sysmon | 1 | Process creation | High | Execution of tools like Mimikatz or Impacket used for Pass the Hash. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| NTLM authentication from unusual host | Account authenticating from system not normally used | High | Potential attacker-controlled workstation. Logon_Process="NtLmSsp" |
| Repeated NTLM authentication attempts | Multiple NTLM authentication events in short period | Medium | May indicate brute-force or credential validation. |
| LSASS memory access prior to authentication | Processes accessing LSASS before NTLM authentication | Critical | Suggests credential dumping occurred. |
| Administrative actions after authentication | Group membership changes or system modifications | Critical | Indicates attacker escalation after authentication. |
| Authentication across multiple hosts | Account authenticating to several hosts in short window | High | Possible lateral movement. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Extracts NTLM password hashes from LSASS memory. |
| Impacket psexec / wmiexec / smbexec | Uses NTLM hashes for remote authentication. |
| CrackMapExec | Automates Pass the Hash attacks across multiple systems. |
| Metasploit | Supports NTLM hash authentication modules. |
| Invoke-Mimikatz | PowerShell wrapper for Mimikatz. |
Relevant Artifacts
- Domain controller Security logs (4624, 4776)
- Host Security logs on target systems
- Sysmon logs (1, 10)
- LSASS memory artifacts
- EDR telemetry identifying credential dumping tools
- Network authentication telemetry
- Prefetch artifacts showing execution of Mimikatz or Impacket tools
- SMB authentication logs
MITRE ATT&CK References
- T1550 Use Alternate Authentication Material
- T1550.002 Pass the Hash
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify NTLM authentication events (4776).
- What host generated the event?
- Determine workstation performing NTLM authentication.
- Is the account expected to perform this action?
- Investigate authentication patterns and host relationships.
- Pivot:
- Source host → inspect LSASS access events or execution of Mimikatz.
- Account → review privileges and access history.
- Network → analyze lateral movement patterns across hosts.
- Confirm exploitation
- Determine whether attacker reused NTLM password hash for authentication.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4776
| summarize count() by TargetUserName, Workstation, bin(TimeGenerated, 5m)
SecurityEvent
| where EventID == 4624 and LogonType == 3
| project TimeGenerated, TargetUserName, IpAddress, WorkstationName
EQL
any where event.code == "4776"
Sigma
title: Suspicious NTLM Authentication Activity
id: pass-the-hash-detection
status: experimental
description: Detects suspicious NTLM authentication potentially indicating Pass the Hash
logsource:
product: windows
service: security
detection:
selection:
EventID: 4776
condition: selection
fields:
- TargetUserName
- Workstation
falsepositives:
- Legitimate NTLM authentication
level: medium
tags:
- attack.lateral_movement
- attack.t1550.002
Splunk
# 4624
index=* earliest=1690543380 latest=1690545180 EventCode=4624 Logon_Type=3 Logon_Process="NtLmSsp"
| table _time, ComputerName, Account_Name, Source_Network_Address, Logon_Process
# 4648
index=* earliest=1690543380 latest=1690545180 EventCode=4648
| table _time, ComputerName, Account_Name, Target_Server_Name
# 4776
index=* earliest=1690543380 latest=1690545180 EventCode=4776
| table _time, ComputerName, Logon_Account
index=main source="WinEventLog:Security" EventCode=4624 Logon_Type=9 Logon_Process=seclogo
| table _time, ComputerName, user, Network_Account_Domain, Network_Account_Name, Logon_Type, Logon_Process
index=main (source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10 TargetImage="C:\Windows\system32\lsass.exe" SourceImage!="*MsMpEng.exe")
OR (source="WinEventLog:Security" EventCode=4624 Logon_Type=9 Logon_Process=seclogo)
| sort _time
| transaction host maxspan=1m endswith=(EventCode=4624) startswith=(EventCode=10)
| table _time, host, SourceImage, Network_Account_Name, Logon_Type
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Credential protection | Enable LSASS protection and Credential Guard | Critical | Prevents hash extraction. |
| NTLM restrictions | Disable or restrict NTLM authentication | High | Eliminates attack vector. |
| Privileged access control | Use dedicated admin accounts | High | Limits impact of credential theft. |
| Monitoring | Alert on abnormal NTLM authentication patterns | High | Early detection of attack activity. |
| Network segmentation | Restrict lateral movement between hosts | High | Reduces attack propagation. |