Potential Pass-the-Hash (PtH) Attempt
Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/03/29"
3integration = ["windows", "system"]
4maturity = "production"
5min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
6min_stack_version = "8.4.0"
7updated_date = "2024/01/16"
8
9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may pass the hash using stolen password hashes to move laterally within an environment,
13bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user
14without having access to the user's cleartext password.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Potential Pass-the-Hash (PtH) Attempt"
21references = ["https://attack.mitre.org/techniques/T1550/002/"]
22risk_score = 47
23rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"]
26timestamp_override = "event.ingested"
27type = "new_terms"
28
29query = '''
30host.os.type:"windows" and
31event.category : "authentication" and event.action : "logged-in" and
32winlog.logon.type : "NewCredentials" and event.outcome : "success" and
33user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "seclogo"
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1550"
41name = "Use Alternate Authentication Material"
42reference = "https://attack.mitre.org/techniques/T1550/"
43[[rule.threat.technique.subtechnique]]
44id = "T1550.002"
45name = "Pass the Hash"
46reference = "https://attack.mitre.org/techniques/T1550/002/"
47
48
49
50[rule.threat.tactic]
51id = "TA0008"
52name = "Lateral Movement"
53reference = "https://attack.mitre.org/tactics/TA0008/"
54
55
56[rule.new_terms]
57field = "new_terms_fields"
58value = ["user.id"]
59
60[[rule.new_terms.history_window_start]]
61field = "history_window_start"
62value = "now-10d"
References
-
G0006 APT1 The APT1 group is known to have used pass the hash.[2] G0007 APT28 APT28 has used pass the hash for lateral movement.[3] G0050 APT32 APT32 has used pass the hash for lateral movement.[4]...
Read More
Related rules
- Remote Windows Service Installed
- A scheduled task was created
- Potential Process Herpaderping Attempt
- Windows Event Logs Cleared
- Unusual Discovery Signal Alert with Unusual Process Executable