Pass the Hash Activity 2

calendar Oct 23, 2025 · attack.defense-evasion attack.lateral-movement attack.t1550.002  ·
Share on: linkedin copy

Detects the attack technique pass the hash which is used to move laterally inside the network

Sigma rule (View on GitHub)

 1title: Pass the Hash Activity 2
 2id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
 3status: stable
 4description: Detects the attack technique pass the hash which is used to move laterally inside the network
 5references:
 6    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
 7    - https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
 8    - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
 9author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
10date: 2019-06-14
11modified: 2022-10-05
12tags:
13    - attack.defense-evasion
14    - attack.lateral-movement
15    - attack.t1550.002
16logsource:
17    product: windows
18    service: security
19    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
20detection:
21    selection_logon3:
22        EventID: 4624
23        SubjectUserSid: 'S-1-0-0'
24        LogonType: 3
25        LogonProcessName: 'NtLmSsp'
26        KeyLength: 0
27    selection_logon9:
28        EventID: 4624
29        LogonType: 9
30        LogonProcessName: 'seclogo'
31    filter:
32        TargetUserName: 'ANONYMOUS LOGON'
33    condition: 1 of selection_* and not filter
34falsepositives:
35    - Administrator activity
36level: medium

References

Related rules

to-top