NIM Pass The Hash Tooling Detection

Detection of NIM Tooling that Creates a Remote User (pth_createusers.exe) and Adds them to Local Admins group (pth_addadmin.exe)

Sigma rule (View on GitHub)

 1title: NIM Pass The Hash Tooling Detection
 2id: d938de18-7f57-4c9c-93b9-a621c746d594
 3status: experimental
 4description: Detection of NIM Tooling that Creates a Remote User (pth_createusers.exe) and Adds them to Local Admins group (pth_addadmin.exe)
 5author: 'The DFIR Report'
 6date: 2023-10-27
 7modified: 2023-10-27
 8references:
 9    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    option_ip:
15        CommandLine|contains:
16            - '-i '
17            - '--ip'
18    option_domain:
19        CommandLine|contains:
20            - '-d '
21            - '--domain'
22    option_username:
23        CommandLine|contains:
24            - '-u '
25            - '--username'
26    hash_value1: # The --hash can be used to pass the hash parameter.
27        CommandLine|contains: '--hash'
28    parent:
29        ParentImage|endswith:
30            - '\powershell.exe'
31            - '\cmd.exe'
32    hash_value_re:
33        CommandLine|re: '[a-f0-9]{32}'
34    condition: 1 of option_* and hash_value1 and hash_value_re and parent
35falsepositives:
36    - Unknown
37level: high
38tags:
39    - attack.t1136

References

Related rules

to-top