Pass the Hash Activity 2
Detects the attack technique pass the hash which is used to move laterally inside the network
Sigma rule (View on GitHub)
1title: Pass the Hash Activity 2
2id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
3status: stable
4description: Detects the attack technique pass the hash which is used to move laterally inside the network
5references:
6 - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
7 - https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
8 - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
9author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
10date: 2019/06/14
11modified: 2022/10/05
12tags:
13 - attack.lateral_movement
14 - attack.t1550.002
15logsource:
16 product: windows
17 service: security
18 definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
19detection:
20 selection_logon3:
21 EventID: 4624
22 SubjectUserSid: 'S-1-0-0'
23 LogonType: 3
24 LogonProcessName: 'NtLmSsp'
25 KeyLength: 0
26 selection_logon9:
27 EventID: 4624
28 LogonType: 9
29 LogonProcessName: 'seclogo'
30 filter:
31 TargetUserName: 'ANONYMOUS LOGON'
32 condition: 1 of selection_* and not filter
33falsepositives:
34 - Administrator activity
35level: medium
References
-
Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber - nsacyber/Event-Forwarding-Guidance
Read More -
This post explains exactly how to detect pass the hash using native Windows event logs and offers additional practical advice for defending against this threat.
Read More
Related rules
- Admin User Remote Logon
- RDP Login from Localhost
- Remote WMI ActiveScriptEventConsumers
- Scanner PoC for CVE-2019-0708 RDP RCE Vuln
- Failed Mounting of Hidden Share