mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
65 lines
1.5 KiB
Markdown
65 lines
1.5 KiB
Markdown
# API Reference: Detecting Pass-the-Hash Attacks
|
|
|
|
## Windows Event ID 4624 Fields
|
|
|
|
| Field | PtH Signal |
|
|
|-------|------------|
|
|
| LogonType | 3 (Network) |
|
|
| AuthenticationPackageName | NTLM (not Kerberos) |
|
|
| LogonProcessName | NtLmSsp |
|
|
| IpAddress | Source of authentication |
|
|
| TargetUserName | Account being used |
|
|
|
|
## python-evtx Usage
|
|
|
|
```python
|
|
import Evtx.Evtx as evtx
|
|
with evtx.Evtx("Security.evtx") as log:
|
|
for record in log.records():
|
|
xml = record.xml()
|
|
# Filter EventID 4624, LogonType=3, AuthPackage=NTLM
|
|
```
|
|
|
|
## PtH Detection Logic
|
|
|
|
```python
|
|
src_targets = defaultdict(set)
|
|
for event in ntlm_logons:
|
|
src_targets[event["source_ip"]].add(event["computer"])
|
|
# Alert when single source authenticates to 3+ targets via NTLM
|
|
```
|
|
|
|
## Splunk SPL Detection
|
|
|
|
```spl
|
|
index=wineventlog EventCode=4624 Logon_Type=3
|
|
| where Authentication_Package="NTLM"
|
|
| stats dc(Computer) as targets by Source_Network_Address, Account_Name
|
|
| where targets >= 3
|
|
| sort -targets
|
|
```
|
|
|
|
## KQL (Microsoft Sentinel)
|
|
|
|
```kql
|
|
SecurityEvent
|
|
| where EventID == 4624 and LogonType == 3
|
|
| where AuthenticationPackageName == "NTLM"
|
|
| summarize TargetCount=dcount(Computer) by IpAddress, TargetUserName
|
|
| where TargetCount >= 3
|
|
```
|
|
|
|
## Mitigation
|
|
|
|
```powershell
|
|
# Restrict NTLM authentication
|
|
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictSendingNTLMTraffic" -Value 2
|
|
```
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
python agent.py --security-log Security.evtx
|
|
python agent.py --security-log Security.evtx --target-threshold 5
|
|
```
|