I was wondering what you guys are doing to detect attacks like Pass-The-Hash within your network. I've read about Breachbox
http://www.darkreading.com/monitoring/researcher-to-open-source-tools-for-find/240156749
and would be interested to hear your thoughts how to detect the attack. For those who haven't come across how to fix Pass-the-Hash scriptjunkie is an excellent read
http://www.scriptjunkie.us/2013/06/fixing-pass-the-hash-and-other-problems/
First of all, I greatly recommend this article, which provides knowledge about the basics of some of the more common attacks, but also covers the pass-the-hash attack quite admirably. Now, it sounds to me like you are afraid that someone will (remotely) obtain administrator access to your computer and dump your hashes into their Lsass. You do not need to worry about this. If an attacker has admin. access to your computer, he could (and probably would prefer to) employ a keylogger or another such program to not only find out that password, but all of your other usernames and passwords. This could be mitigated to a process (a favorite seems to be explorer.exe) and run directly from your physical memory, thus making it undetectable to AV. Really, the most plausible way to stop someone from gaining any sort of remote access to your computer is to keep all of your programs up-to-date and to get a good AV program (Kaspersky, Avast, and AVG have good reputations). If I misinterpreted your statement, please respond and I will try to get back to you.
You can't really detect or prevent Pass-the-hash attacks. You can discover where on your network Pass-the-hash attacks would be the most destructive.
I have heard of organizations so scared of pass-the-hash attacks (or that have been hit by them continuously) that they have a policy for administrators to change NT passwords after every use.
