A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.

The tool was published as part of the "Pass-The-Hash detection" research - more details on "Pass-The-Hash detection" are in the blog post:
https://www.cyberark.com/threat-research-blog/detecting-pass-the-hash-with-windows-event-viewer

Full research can be found in the white paper:
https://www.cyberark.com/resource/pass-hash-detection-using-windows-events/
(direct link: http://lp.cyberark.com/rs/cyberarksoftware/images/wp-Labs-Pass-the-hash-research-01312018.pdf)

Account with the following privileges:

• Access to remote machines' security event logs
• ActiveDirectory read permissions (standard domain account)
• Computers synchronized with the same time, otherwise it can affect the results
• Minimum PowerShell 2.0

Ketshash is a tool for detecting suspicious privileged NTLM connections, based on the following information:

• Security event logs on the monitored machines (Login events)
• Authentication events from Active Directory

There are two options:

• Open PowerShell and run:
  • Import-Module .\Ketshash.ps1 or copy & paste Ketshash.ps1 content to PowerShell session
  • Invoke-DetectPTH <arguments>

• Make sure Ketshash.ps1 is in the same directory of KetshashRunner.exe
• Double click on KetshashRunner.exe, change settings if you need and press Run

• TargetComputers - Array of target computers to detect for NTLM connections.
• TargetComputersFile - Path to file with list of target computers to detect for NTLM connections.
• StartTime - Time when the detection starts. The default is the current time.
• UseKerberosCheck - Checks for TGT\TGS logons on the DCs on the organization. The default is to search for legitimate logon on the source machine. Anyway, with or without this switch there is still a query for event ID 4648 on the source machine.
• UseNewCredentialsCheck - Checks for logon events with logon type 9 (like Mimikatz). This is optional, the default algorithm already covers it. It exists just to show another option to detect suspicious NTLM connections. On the Windows versions 10 and Server 2016, "Microsoft-Windows-LSA/Operational" should be enabled in event viewer. On Windows 10 and Server 2016, enabling "kernel object auditing" will provide more accurate information such as writing to LSASS.
• LogFile - Log file path to save the results.
• MaxHoursOfLegitLogonPriorToNTLMEvent - How many hours to look backwards and search for legitimate logon from the time of the NTLM event. The default is 2 hours backwards.

Invoke-DetectPTH -TargetComputers "MARS-7" -LogFile "C:\tmp\log.txt"

Invoke-DetectPTH -TargetComputers "ComputerName" -StartTime ([datetime]"2017-12-14 12:50:00 PM") -LogFile "C:\tmp\log.txt" -UseKerberosCheck -UseNewCredentialsCheck

Because it uses threads, it is not possible to debug the script block of the main function. A workaround can be by using Invoke-Command before the Detect-PTHMultithreaded:

Invoke-Command -ScriptBlock $detectPTHScriptBlock -ArgumentList $TargetComputers, $startTime, $LogFile, $UseKerberosCheck, $UseNewCredentialsCheck, $MaxHoursOfLegitLogonPriorToNTLMEvent`

Detect only one target computer:

Invoke-DetectPTH -TargetComputers "<computer_name>" ...

Change the $TargetComputer to be [string] instead of [array]. This way it is possible to use breakpoints inside the script block of the main function.

For more comments and questions, you can contact Eviatar Gerzi (@g3rzi) and CyberArk Labs.