Potential Pass-the-Hash (PtH) Attempt

 1[metadata]
 2creation_date = "2023/03/29"
 3integration = ["windows", "system"]
 4maturity = "production"
 5updated_date = "2025/02/21"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal
13system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's
14cleartext password.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Potential Pass-the-Hash (PtH) Attempt"
21references = ["https://attack.mitre.org/techniques/T1550/002/"]
22risk_score = 47
23rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"]
26timestamp_override = "event.ingested"
27type = "new_terms"
28
29query = '''
30host.os.type:"windows" and
31event.category : "authentication" and event.action : "logged-in" and
32winlog.logon.type : "NewCredentials" and event.outcome : "success" and
33user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "seclogo"
34'''
35note = """## Triage and analysis
36
37> **Disclaimer**:
38> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
39
40### Investigating Potential Pass-the-Hash (PtH) Attempt
41
42Pass-the-Hash (PtH) is a technique where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords. This method exploits the authentication process in Windows environments. The detection rule identifies suspicious logins using specific logon types and processes, indicating potential PtH activity, by monitoring successful authentications with certain user IDs and logon processes.
43
44### Possible investigation steps
45
46- Review the event logs for the specific user IDs (S-1-5-21-* or S-1-12-1-*) to identify any unusual or unauthorized access patterns, focusing on the time and source of the logon events.
47- Examine the winlog.event_data.LogonProcessName field for "seclogo" to determine if this process is commonly used in your environment or if it appears suspicious or unexpected.
48- Correlate the successful authentication events with other security logs to identify any lateral movement or access to sensitive systems that occurred after the initial logon.
49- Investigate the source IP addresses and hostnames associated with the logon events to determine if they are known and trusted within the network or if they originate from unusual or external locations.
50- Check for any recent changes or anomalies in the accounts associated with the suspicious user IDs, such as password resets, privilege escalations, or unusual account activity.
51- Consult threat intelligence sources to see if there are any known campaigns or threat actors using similar techniques or targeting similar environments.
52
53### False positive analysis
54
55- Legitimate administrative tools or scripts that use the "NewCredentials" logon type for automation or scheduled tasks can trigger false positives. Review and whitelist known benign processes or scripts that are part of regular operations.
56- Security software or monitoring tools that perform regular checks using the "seclogo" logon process may be misidentified. Identify and exclude these tools from the detection rule to prevent unnecessary alerts.
57- Service accounts with user IDs matching the specified patterns (S-1-5-21-* or S-1-12-1-*) might be flagged during routine operations. Ensure these accounts are documented and create exceptions for their expected activities.
58- Regularly scheduled tasks or maintenance activities that involve authentication processes similar to PtH can cause false positives. Document these activities and adjust the detection rule to account for their occurrence.
59- User behavior analytics might incorrectly flag normal user activities as suspicious. Implement user behavior baselining to differentiate between typical and atypical logon patterns, refining the detection criteria accordingly.
60
61### Response and remediation
62
63- Immediately isolate the affected system from the network to prevent further lateral movement by the attacker.
64- Revoke any active sessions associated with the compromised user IDs (S-1-5-21-* or S-1-12-1-*) to disrupt the attacker's access.
65- Conduct a password reset for the affected accounts and any other accounts that may have been accessed using the compromised hashes.
66- Review and update access controls and permissions for the affected accounts to ensure they adhere to the principle of least privilege.
67- Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activity or attempts to use stolen hashes.
68- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.
69- Implement additional logging and monitoring for the "seclogo" logon process to enhance detection of future pass-the-hash attempts."""
70
71
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74[[rule.threat.technique]]
75id = "T1550"
76name = "Use Alternate Authentication Material"
77reference = "https://attack.mitre.org/techniques/T1550/"
78[[rule.threat.technique.subtechnique]]
79id = "T1550.002"
80name = "Pass the Hash"
81reference = "https://attack.mitre.org/techniques/T1550/002/"
82
83
84
85[rule.threat.tactic]
86id = "TA0008"
87name = "Lateral Movement"
88reference = "https://attack.mitre.org/tactics/TA0008/"
89
90[rule.new_terms]
91field = "new_terms_fields"
92value = ["user.id"]
93[[rule.new_terms.history_window_start]]
94field = "history_window_start"
95value = "now-10d"