Potential Pass-the-Hash (PtH) Attempt

 1[metadata]
 2creation_date = "2023/03/29"
 3integration = ["windows", "system"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal
11system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's
12cleartext password.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Potential Pass-the-Hash (PtH) Attempt"
19references = ["https://attack.mitre.org/techniques/T1550/002/"]
20risk_score = 47
21rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"]
24timestamp_override = "event.ingested"
25type = "new_terms"
26
27query = '''
28host.os.type:"windows" and 
29event.category : "authentication" and event.action : "logged-in" and 
30winlog.logon.type : "NewCredentials" and event.outcome : "success" and 
31user.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : "seclogo"
32'''
33
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1550"
39name = "Use Alternate Authentication Material"
40reference = "https://attack.mitre.org/techniques/T1550/"
41[[rule.threat.technique.subtechnique]]
42id = "T1550.002"
43name = "Pass the Hash"
44reference = "https://attack.mitre.org/techniques/T1550/002/"
45
46
47
48[rule.threat.tactic]
49id = "TA0008"
50name = "Lateral Movement"
51reference = "https://attack.mitre.org/tactics/TA0008/"
52
53[rule.new_terms]
54field = "new_terms_fields"
55value = ["user.id"]
56[[rule.new_terms.history_window_start]]
57field = "history_window_start"
58value = "now-10d"