mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
1.5 KiB
1.5 KiB
API Reference: Detecting Pass-the-Hash Attacks
Windows Event ID 4624 Fields
| Field | PtH Signal |
|---|---|
| LogonType | 3 (Network) |
| AuthenticationPackageName | NTLM (not Kerberos) |
| LogonProcessName | NtLmSsp |
| IpAddress | Source of authentication |
| TargetUserName | Account being used |
python-evtx Usage
import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
for record in log.records():
xml = record.xml()
# Filter EventID 4624, LogonType=3, AuthPackage=NTLM
PtH Detection Logic
src_targets = defaultdict(set)
for event in ntlm_logons:
src_targets[event["source_ip"]].add(event["computer"])
# Alert when single source authenticates to 3+ targets via NTLM
Splunk SPL Detection
index=wineventlog EventCode=4624 Logon_Type=3
| where Authentication_Package="NTLM"
| stats dc(Computer) as targets by Source_Network_Address, Account_Name
| where targets >= 3
| sort -targets
KQL (Microsoft Sentinel)
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| summarize TargetCount=dcount(Computer) by IpAddress, TargetUserName
| where TargetCount >= 3
Mitigation
# Restrict NTLM authentication
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictSendingNTLMTraffic" -Value 2
CLI Usage
python agent.py --security-log Security.evtx
python agent.py --security-log Security.evtx --target-threshold 5