Successful Overpass the Hash Attempt

Oct 23, 2025 · attack.defense-evasion attack.lateral-movement attack.s0002 attack.t1550.002 ·

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Sigma rule (View on GitHub)

 1title: Successful Overpass the Hash Attempt
 2id: 192a0330-c20b-4356-90b6-7b7049ae0b87
 3status: test
 4description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
 5references:
 6    - https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html
 7author: Roberto Rodriguez (source), Dominik Schaudel (rule)
 8date: 2018-02-12
 9modified: 2021-11-27
10tags:
11    - attack.defense-evasion
12    - attack.lateral-movement
13    - attack.s0002
14    - attack.t1550.002
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 4624
21        LogonType: 9
22        LogonProcessName: seclogo
23        AuthenticationPackageName: Negotiate
24    condition: selection
25falsepositives:
26    - Runas command-line tool using /netonly parameter
27level: high

References

Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon, Win Event Logs, and ELK - Part III (Overpass-the-Hash - EIDs 10, 4624, 4648, 4768)

In my last posts about hunting for In-memory mimikatz that you can read here and here , I showed you that even though Mimikatz is ex...

Read More

Successful Overpass the Hash Attempt

Sigma rule (View on GitHub)

References

Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon, Win Event Logs, and ELK - Part III (Overpass-the-Hash - EIDs 10, 4624, 4648, 4768)

Related rules