Pass the Hash Activity 2

calendarMay 2, 2023 · attack.lateral_movement attack.t1550.002  ·
Share on: linkedincopy

Detects the attack technique pass the hash which is used to move laterally inside the network

Sigma rule (View on GitHub)

 1title: Pass the Hash Activity 2
 2id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
 3status: stable
 4description: Detects the attack technique pass the hash which is used to move laterally inside the network
 5references:
 6    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
 7    - https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
 8    - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
 9author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
10date: 2019/06/14
11modified: 2022/10/05
12tags:
13    - attack.lateral_movement
14    - attack.t1550.002
15logsource:
16    product: windows
17    service: security
18    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
19detection:
20    selection_logon3:
21        EventID: 4624
22        SubjectUserSid: 'S-1-0-0'
23        LogonType: 3
24        LogonProcessName: 'NtLmSsp'
25        KeyLength: 0
26    selection_logon9:
27        EventID: 4624
28        LogonType: 9
29        LogonProcessName: 'seclogo'
30    filter:
31        TargetUserName: 'ANONYMOUS LOGON'
32    condition: 1 of selection_* and not filter
33falsepositives:
34    - Administrator activity
35level: medium

Related rules

to-top