[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-38934-en":3,"doc-seo-38934-105":30,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":21,"is_downloadable":21,"audit_status":21,"page_count":22,"language":23,"language_code":24,"site_id":25,"html_lang":24,"table_of_contents":26,"faqs":27,"seo_title":13,"seo_description":14,"update_tm":28,"read_time":29},38934,962075006959,"Anda","https://ap-avatar.wpscdn.com/avatar/e0002397efbe92a78e?_k=1776741047341049297",8,"Research & Report","An Open Source Approach to Detect Pass the Hash Attack in Active Directory Using Wazuh and Sysmon","Pass-the-Hash (PtH) attacks pose a persistent threat to organizations using Microsoft Active Directory by enabling privilege escalation, lateral movement, and long-term access without plaintext credentials. PtH can also bypass multifactor authentication, which makes it attractive for advanced persistent threat groups and ransomware operators. This paper introduces an open-source detection and mitigation system that analyzes PtH stages such as hash extraction, unauthorized NTLM authentication, and subsequent host compromise, using Sysmon telemetry and Wazuh log analysis to support timely detection in mid-sized environments.","ISSN 0361-7688, Programming and Computer Software, 2025, Vol. 51, No. 8, pp. 645–674. © Pleiades Publishing, Ltd., 2025.  \nAn Open-Source Approach to Detect Pass-the-Hash Attack in Active Directory Using Wazuh and Sysmon  \nJacques Gerald Vivian Felicitea,*, A. Omar Portillo-Dominguezb,c,** (ORCID: 0000-0003-3009-985X), and Vanessa Ayala-Riveraa,c,*** (ORCID: 0000-0001-7449-6473)  \na School of Informatics and Cybersecurity, Technological University Dublin, Dublin, Ireland b School of Enterprise Computing and Digital Transformation, Technological University Dublin, Dublin, Ireland c Digital Futures Research Hub, Technological University Dublin, Dublin, Ireland  \n*[e-mail: b00158349@mytudublin.ie](e-mail: b00158349@mytudublin.ie)  \n**[e-mail: vanessa.ayalarivera@tudublin.ie](e-mail: vanessa.ayalarivera@tudublin.ie)  \n***[e-mail: omar.portillo@tudublin.ie](e-mail: omar.portillo@tudublin.ie)  \nReceived August 17, 2025; revised August 27, 2025; accepted August 27, 2025  \nAbstractPass-the-Hash (PtH) attacks remain a significant security threat to organizations worldwide, particularly those relying on Microsoft Active Directory. This attack allows adversaries to to escalate privileges, move laterally across networks, and maintain persistent access without obtaining plaintext credentials. ditionally, PtH attacks can bypass multifactor authentication (MFA), making them a preferred technique for advanced persistent threat (APT) groups and ransomware operators. While previous research and vendor solutions have proposed PtH mitigation strategies, many rely on proprietary software, lack transparency, or fall short in detecting real-time attacker behavior in mid-sized environments. To tackle this problem, this paper presents an open-source-based detection system aimed at identifying and mitigating PtH attacks, offering a cost-effective alternative to commercial solutions. We systematically analyze the PtH attack vector, which exploits weaknesses in the Windows New Technology LAN Manager (NTLM) authentication protocol. Our study discusses the core stages ofa PtH attack, including hash extraction through credential dumping, unauthorized authentication using stolen NTLM hashes, and subsequent lateral movement to compromise additional hosts. We emphasize the stealthy nature of these attacks and their ability to evade conventional security tools; thus, the importance of having a multilayered defense strategy. Through a lab-based experimental setup, we demonstrate how combining Sysmon for telemetry and Wazuh for log analysis enables timely and effective detection of PtH behaviors. Our findings validate that open-source tools can significantly enhance an organization’s ability to detect and respond to PtH activity. Our work also offers practical insightsand actionable implementation guidance for security practitioners seeking to secure Active Directory environments using accessible, community-driven technologies.  \nKeyword: application security, active directory security, pass-the-hash attack, open-source software  \nDOI: 10.1134/S0361768825700483  \n1. INTRODUCTION  \nIn today скs enterprise IT landscape, Microsoft Active Directory (AD) is a foundational service for managing digital identities and access to networked resources. Today, over 95% of Fortune 1000 companies have adopted AD, deploying it within their infrastructure [1], and approximately 50000 organizations currently rely on it for directory services [2] . AD enables centralized administration of users, computers, groups, and policies across complex networks, extending its capabilities into cloud-based technologies through Azure AD integration [3] .  \nOften compared to a hierarchical phone book for Windows systems, AD organizes directory information through components such as domains, organiza-  \ntional units (OUs), forests, and trees. It relies on domain controllers (DCs), which authenticate users and enforce security policies. DCs maintain a writable copy ofthe AD database and verify cre","cbCaipf4Xco0kVGU","https://ap.wps.com/l/cbCaipf4Xco0kVGU","pdf",5537949,2,1,30,"English","en",105,"# Introduction\n## Active Directory fundamentals and threat relevance\n## Pass-the-Hash attack mechanism and typical stages\n## Detection approach using Sysmon and Wazuh","[{\"question\":\"What makes pass-the-hash (PtH) attacks especially dangerous in Active Directory environments?\",\"answer\":\"PtH enables adversaries to escalate privileges, move laterally, and maintain persistent access without plaintext credentials. It can also bypass multifactor authentication, which increases impact for sophisticated attackers.\"},{\"question\":\"How does the proposed open-source approach detect PtH activity?\",\"answer\":\"The system correlates Sysmon telemetry with Wazuh log analysis to identify behaviors across PtH stages, including hash extraction and unauthorized NTLM authentication followed by lateral movement.\"},{\"question\":\"Which parts of the PtH attack lifecycle are emphasized in the paper?\",\"answer\":\"The paper highlights credential dumping and hash extraction, authentication using stolen NTLM hashes, and later lateral movement to compromise additional hosts, focusing on stealth and evasion of conventional tools.\"}]",1783075422,76,{"code":4,"msg":31,"data":32},"ok",{"site_id":25,"language":24,"slug":33,"title":13,"keywords":34,"description":14,"schema_data":35,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":28},"an-open-source-approach-to-detect-pass-the-hash-attack-in-active-directory-using-wazuh-and-sysmon","",{"@graph":36,"@context":85},[37,53,68],{"@type":38,"itemListElement":39},"BreadcrumbList",[40,44,47,50],{"item":41,"name":42,"@type":43,"position":21},"https://docshare.wps.com","Home","ListItem",{"item":45,"name":46,"@type":43,"position":20},"https://docshare.wps.com/document/","Document",{"item":48,"name":12,"@type":43,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":43,"position":52},"https://docshare.wps.com/document/an-open-source-approach-to-detect-pass-the-hash-attack-in-active-directory-using-wazuh-and-sysmon/38934/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":24,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":41,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-07","2026-07-03",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What makes pass-the-hash (PtH) attacks especially dangerous in Active Directory environments?","Question",{"text":75,"@type":76},"PtH enables adversaries to escalate privileges, move laterally, and maintain persistent access without plaintext credentials. It can also bypass multifactor authentication, which increases impact for sophisticated attackers.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does the proposed open-source approach detect PtH activity?",{"text":80,"@type":76},"The system correlates Sysmon telemetry with Wazuh log analysis to identify behaviors across PtH stages, including hash extraction and unauthorized NTLM authentication followed by lateral movement.",{"name":82,"@type":73,"acceptedAnswer":83},"Which parts of the PtH attack lifecycle are emphasized in the paper?",{"text":84,"@type":76},"The paper highlights credential dumping and hash extraction, authentication using stolen NTLM hashes, and later lateral movement to compromise additional hosts, focusing on stealth and evasion of conventional tools.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":25},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,122,127,130,134],{"id":21,"doc_module":4,"doc_module_name":46,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":20,"doc_module":4,"doc_module_name":46,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":46,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":46,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":46,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":46,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":46,"category_name":12,"show_sort_weight":22,"slug":121},"research-report",{"id":123,"doc_module":4,"doc_module_name":46,"category_name":124,"show_sort_weight":125,"slug":126},9,"Religion & Spirituality",20,"religion-spirituality",{"id":125,"doc_module":4,"doc_module_name":46,"category_name":128,"show_sort_weight":125,"slug":129},"World Cup","world-cup",{"id":131,"doc_module":4,"doc_module_name":46,"category_name":132,"show_sort_weight":131,"slug":133},10,"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":46,"category_name":136,"show_sort_weight":106,"slug":137},19,"General","general"]