Pass The Hash

Detecting Pass-The-Ticket and Pass-The-Hash Attack Using Simple WMI Commands

Reading this I wanted to follow along but there was some things left
out. I like reproducability and wanted to reproduce the resaults.

This artical starts out realy well. The first few paragraphs go over the
issue I am having. PTH is really hard to detect how can we do a better
job to filter out the false positives? This guy seams to have figured
something out so I read on.

In the section titled Technical PPT there is a numbered list or
steps, things to do. It goes as follows...

Just kidding read the artical.

here is whats missing

the following is done in powershell

gwmi Win32_LoggedOnUser

get a lot of this

__GENUS          : 2
__CLASS          : Win32_LoggedOnUser
__SUPERCLASS     : CIM_Dependency
__DYNASTY        : CIM_Dependency
__RELPATH        : Win32_LoggedOnUser.Antecedent="\\\\.\\root\\cimv2:Win32_Account.Domain=\"WIN-2VCENS6CSCE\",Name=\"SY
                   STEM\"",Dependent="\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=\"999\""

gwmi Win32_LoggedOnUser| Select Antecedent

you get

Antecedent
----------
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="SYSTEM"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="SYSTEM"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="SYSTEM"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="SYSTEM"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="SYSTEM"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="SYSTEM"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="SYSTEM"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="SYSTEM"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="LOCAL SERVICE"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="NETWORK SERVICE"
\\.\root\cimv2:Win32_Account.Domain="WINDOWS2012R2",Name="vagrant"
\\.\root\cimv2:Win32_Account.Domain="WINDOWS2012R2",Name="vagrant"
\\.\root\cimv2:Win32_Account.Domain="WINDOWS2012R2",Name="WIN2012$"
\\.\root\cimv2:Win32_Account.Domain="WINDOWS2012R2",Name="Administrator"
\\.\root\cimv2:Win32_Account.Domain="WINDOWS2012R2",Name="Administrator"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="ANONYMOUS LOGON"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="DWM-1"
\\.\root\cimv2:Win32_Account.Domain="WIN-2VCENS6CSCE",Name="DWM-1"

gwmi Win32_LoggedOnUser| Select Dependent

Dependent
---------
\\.\root\cimv2:Win32_LogonSession.LogonId="999"
\\.\root\cimv2:Win32_LogonSession.LogonId="475876"
\\.\root\cimv2:Win32_LogonSession.LogonId="232078"
\\.\root\cimv2:Win32_LogonSession.LogonId="148982"
\\.\root\cimv2:Win32_LogonSession.LogonId="232371"
\\.\root\cimv2:Win32_LogonSession.LogonId="232309"
\\.\root\cimv2:Win32_LogonSession.LogonId="232151"
\\.\root\cimv2:Win32_LogonSession.LogonId="135911"
\\.\root\cimv2:Win32_LogonSession.LogonId="997"
\\.\root\cimv2:Win32_LogonSession.LogonId="996"
\\.\root\cimv2:Win32_LogonSession.LogonId="572172"
\\.\root\cimv2:Win32_LogonSession.LogonId="473323"
\\.\root\cimv2:Win32_LogonSession.LogonId="537212"
\\.\root\cimv2:Win32_LogonSession.LogonId="192345"
\\.\root\cimv2:Win32_LogonSession.LogonId="523931"
\\.\root\cimv2:Win32_LogonSession.LogonId="146862"
\\.\root\cimv2:Win32_LogonSession.LogonId="69791"
\\.\root\cimv2:Win32_LogonSession.LogonId="69722"

gwmi Win32_LogonSession

a lot of

AuthenticationPackage : Negotiate
LogonId               : 69722
LogonType             : 2
Name                  :
StartTime             : 20180718201202.422084-240
Status                :

gwmi Win32_LoggedOnUser| Select Dependent

you get

Dependent
---------
\\.\root\cimv2:Win32_LogonSession.LogonId="999"
\\.\root\cimv2:Win32_LogonSession.LogonId="475876"
\\.\root\cimv2:Win32_LogonSession.LogonId="232078"
\\.\root\cimv2:Win32_LogonSession.LogonId="148982"
\\.\root\cimv2:Win32_LogonSession.LogonId="232371"
\\.\root\cimv2:Win32_LogonSession.LogonId="232309"
\\.\root\cimv2:Win32_LogonSession.LogonId="232151"
\\.\root\cimv2:Win32_LogonSession.LogonId="135911"
\\.\root\cimv2:Win32_LogonSession.LogonId="997"
\\.\root\cimv2:Win32_LogonSession.LogonId="996"
\\.\root\cimv2:Win32_LogonSession.LogonId="572172"
\\.\root\cimv2:Win32_LogonSession.LogonId="473323"
\\.\root\cimv2:Win32_LogonSession.LogonId="537212"
\\.\root\cimv2:Win32_LogonSession.LogonId="192345"
\\.\root\cimv2:Win32_LogonSession.LogonId="523931"
\\.\root\cimv2:Win32_LogonSession.LogonId="146862"
\\.\root\cimv2:Win32_LogonSession.LogonId="69791"
\\.\root\cimv2:Win32_LogonSession.LogonId="69722"

for PTH the author recommends "detect any "Negotiation" logon sessions
that contains the Logon Type '9'"

gwmi Win32_LogonSession | Select AuthenticationPackage

AuthenticationPackage
---------------------
Negotiate
Kerberos
Kerberos
Kerberos
Kerberos
Kerberos
Kerberos
Kerberos
Negotiate
Negotiate
Kerberos
NTLM
Negotiate
Negotiate

gwmi Win32_LogonSession | Select LogonType

LogonType
---------
        0
        3
        3
        3
        3
        3
        3
        3
        5
        5
        2
        3
        2
        2
The- Hash attack will be executed via this method, and the only time that 
you’ll see Logon Type ‘9’ in “Negotiation” session will be if someone is 
using runas command with the “netonly” parameter, which is not something 
you see every day in normal environments, so the false positive rate in 
this method is very low.

simple enough

iex (New-Object Net.WebClient).Downloadstring('https://raw.githubusercontent.com/JavelinNetworks/IR-Tools/master/Get-SessionAnomaly.ps1')

Footnote

Read more