Successful Overpass the Hash Attempt

Jun 26, 2023 · attack.lateral_movement attack.s0002 attack.t1550.002 ·

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Sigma rule (View on GitHub)

 1title: Successful Overpass the Hash Attempt
 2id: 192a0330-c20b-4356-90b6-7b7049ae0b87
 3status: test
 4description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
 5references:
 6    - https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html
 7author: Roberto Rodriguez (source), Dominik Schaudel (rule)
 8date: 2018/02/12
 9modified: 2021/11/27
10tags:
11    - attack.lateral_movement
12    - attack.s0002
13    - attack.t1550.002
14logsource:
15    product: windows
16    service: security
17detection:
18    selection:
19        EventID: 4624
20        LogonType: 9
21        LogonProcessName: seclogo
22        AuthenticationPackageName: Negotiate
23    condition: selection
24falsepositives:
25    - Runas command-line tool using /netonly parameter
26level: high

References

Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon, Win Event Logs, and ELK - Part III (Overpass-the-Hash - EIDs 10, 4624, 4648, 4768)

In my last posts about hunting for In-memory mimikatz that you can read here and here , I showed you that even though Mimikatz is ex...

Read More

Successful Overpass the Hash Attempt

Sigma rule (View on GitHub)

References

Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon, Win Event Logs, and ELK - Part III (Overpass-the-Hash - EIDs 10, 4624, 4648, 4768)

Related rules