You will see events 4648, 4624, and 4672 the same as if I was doing legitimate NTLM authentication. However, there are a few key differences.
First, the 4624 event will have a Logon Type of 9. This is a NewCredential logon type and a very useful way to identify that a pass-the-hash took place.
Logon Type 9 is very rare. However, I was able to generate some false positives running applications that use impersonation. The main difference to key off of is the Logon Process will always be “seclogo” for pass-the-hash (from my tests), so you can filter on that to reduce false positive rates.
With Sysmon in place when a pass-the-hash occurs you will see Event ID 10 showing access to the LSASS process from Mimikatz or your pass-the-hash tool of choice.
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent