Successful Overpass the Hash Attempt

calendarMay 2, 2023 · attack.lateral_movement attack.s0002 attack.t1550.002  ·
Share on: linkedincopy

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Sigma rule (View on GitHub)

 1title: Successful Overpass the Hash Attempt
 2id: 192a0330-c20b-4356-90b6-7b7049ae0b87
 3status: test
 4description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
 5references:
 6    - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
 7author: Roberto Rodriguez (source), Dominik Schaudel (rule)
 8date: 2018/02/12
 9modified: 2021/11/27
10tags:
11    - attack.lateral_movement
12    - attack.s0002
13    - attack.t1550.002
14logsource:
15    product: windows
16    service: security
17detection:
18    selection:
19        EventID: 4624
20        LogonType: 9
21        LogonProcessName: seclogo
22        AuthenticationPackageName: Negotiate
23    condition: selection
24falsepositives:
25    - Runas command-line tool using /netonly parameter
26level: high

Related rules

to-top