ketshash v1.5 releases: detecting suspicious privileged NTLM connections
Ketshash
A little tool for detecting suspicious privileged NTLM connections, in particular, Pass-The-Hash attack, based on event viewer logs.
The tool was published as part of the “Pass-The-Hash detection” research – more details on “Pass-The-Hash detection” are in the blog post.
Full research can be found in the white paper.
Ketshash is a tool for detecting suspicious privileged NTLM connections, based on the following information:
- Security event logs on the monitored machines (Login events)
- Authentication events from Active Directory
Download
git clone https://github.com/cyberark/ketshash.git
Use
Account with the following privileges:
- Access to remote machines’ security event logs
- ActiveDirectory read permissions (standard domain account)
- Computers synchronized at the same time, otherwise, it can affect the results
- Minimum PowerShell 2.0
Basic Usage
- Open PowerShell and run:
- Import-Module .\Ketshash.ps1 or copy & paste Ketshash.ps1 content to PowerShell session
- Invoke-DetectPTH <arguments>
Ketshash Runner
- Make sure Ketshash.ps1 is in the same directory of KetshashRunner.exe
- Double click on KetshashRunner.exe, change settings if you need and press Run
Invoke-DetectPTH
Parameters:
- TargetComputers – Array of target computers to detect for NTLM connections.
- TargetComputersFile – Path to file with a list of target computers to detect for NTLM connections.
- StartTime – Time when the detection starts. The default is the current time.
- UseKerberosCheck – Checks for TGT\TGS logons on the DCs on the organization. The default is to search for legitimate logon on the source machine. Anyway, with or without this switch there is still a query for event ID 4648 on the source machine.
- UseNewCredentialsCheck – Checks for logon events with logon type 9 (like Mimikatz). This is optional, the default algorithm already covers it. It exists just to show another option to detect suspicious NTLM connections. On the Windows versions 10 and Server 2016, “Microsoft-Windows-LSA/Operational” should be enabled in event viewer. On Windows 10 and Server 2016, enabling “kernel object auditing” will provide more accurate information such as writing to LSASS.
- LogFile – Log file path to save the results.
- MaxHoursOfLegitLogonPriorToNTLMEvent – How many hours to look backward and search for legitimate logon from the time of the NTLM event. The default is 2 hours backward.
Copyright (C) 2018 Eviatar Gerzi (@g3rzi) and CyberArk Labs
Source: https://github.com/cyberark/