ketshash - tool for detecting suspicious privileged NTLM connections.

ketshash – tool for detecting suspicious privileged NTLM connections.

Ketshash is A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.

Requirements
Account with the following privileges:
– Access to remote machines’ security event logs
– ActiveDirectory read permissions (standard domain account)
– Computers synchronized with the same time, otherwise it can affect the results
– Minimum PowerShell 2.0

Ketshash v1.2

Overview
Ketshash is a tool for detecting suspicious privileged NTLM connections, based on the following information:
+ Security event logs on the monitored machines (Login events)
+ Authentication events from Active Directory

Usage:

Source: https://github.com/cyberark