An Open-Source Approach to Detect Pass-the-Hash Attack in Active Directory Using Wazuh and Sysmon

Abstract: Pass-the-Hash (PtH) attacks remain a significant security threat to organizations worldwide, particularly those relying on Microsoft Active Directory. This attack allows adversaries to to escalate privileges, move laterally across networks, and maintain persistent access without obtaining plaintext credentials. ditionally, PtH attacks can bypass multifactor authentication (MFA), making them a preferred technique for advanced persistent threat (APT) groups and ransomware operators. While previous research and vendor solutions have proposed PtH mitigation strategies, many rely on proprietary software, lack transparency, or fall short in detecting real-time attacker behavior in mid-sized environments. To tackle this problem, this paper presents an open-source-based detection system aimed at identifying and mitigating PtH attacks, offering a cost-effective alternative to commercial solutions. We systematically analyze the PtH attack vector, which exploits weaknesses in the Windows New Technology LAN Manager (NTLM) authentication protocol. Our study discusses the core stages of a PtH attack, including hash extraction through credential dumping, unauthorized authentication using stolen NTLM hashes, and subsequent lateral movement to compromise additional hosts. We emphasize the stealthy nature of these attacks and their ability to evade conventional security tools; thus, the importance of having a multilayered defense strategy. Through a lab-based experimental setup, we demonstrate how combining Sysmon for telemetry and Wazuh for log analysis enables timely and effective detection of PtH behaviors. Our findings validate that open-source tools can significantly enhance an organization’s ability to detect and respond to PtH activity. Our work also offers practical insights and actionable implementation guidance for security practitioners seeking to secure Active Directory environments using accessible, community-driven technologies.