Potential Pass-the-Hash (PtH) Attempt
Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/03/29"
3integration = ["windows", "system"]
4maturity = "production"
5updated_date = "2024/10/28"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal
13system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's
14cleartext password.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Potential Pass-the-Hash (PtH) Attempt"
21references = ["https://attack.mitre.org/techniques/T1550/002/"]
22risk_score = 47
23rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: System"]
26timestamp_override = "event.ingested"
27type = "new_terms"
28
29query = '''
30host.os.type:"windows" and
31event.category : "authentication" and event.action : "logged-in" and
32winlog.logon.type : "NewCredentials" and event.outcome : "success" and
33user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "seclogo"
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1550"
41name = "Use Alternate Authentication Material"
42reference = "https://attack.mitre.org/techniques/T1550/"
43[[rule.threat.technique.subtechnique]]
44id = "T1550.002"
45name = "Pass the Hash"
46reference = "https://attack.mitre.org/techniques/T1550/002/"
47
48
49
50[rule.threat.tactic]
51id = "TA0008"
52name = "Lateral Movement"
53reference = "https://attack.mitre.org/tactics/TA0008/"
54
55[rule.new_terms]
56field = "new_terms_fields"
57value = ["user.id"]
58[[rule.new_terms.history_window_start]]
59field = "history_window_start"
60value = "now-10d"
References
Related rules
- Execution via TSClient Mountpoint
- Potential Remote Desktop Tunneling Detected
- Unusual Child Process of dns.exe
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Mounting Hidden or WebDav Remote Shares