NIM Pass The Hash Tooling Detection
Detection of NIM Tooling that Creates a Remote User (pth_createusers.exe) and Adds them to Local Admins group (pth_addadmin.exe)
Sigma rule (View on GitHub)
1title: NIM Pass The Hash Tooling Detection
2id: d938de18-7f57-4c9c-93b9-a621c746d594
3status: experimental
4description: Detection of NIM Tooling that Creates a Remote User (pth_createusers.exe) and Adds them to Local Admins group (pth_addadmin.exe)
5author: 'The DFIR Report'
6date: 2023-10-27
7modified: 2023-10-27
8references:
9 - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 option_ip:
15 CommandLine|contains:
16 - '-i '
17 - '--ip'
18 option_domain:
19 CommandLine|contains:
20 - '-d '
21 - '--domain'
22 option_username:
23 CommandLine|contains:
24 - '-u '
25 - '--username'
26 hash_value1: # The --hash can be used to pass the hash parameter.
27 CommandLine|contains: '--hash'
28 parent:
29 ParentImage|endswith:
30 - '\powershell.exe'
31 - '\cmd.exe'
32 hash_value_re:
33 CommandLine|re: '[a-f0-9]{32}'
34 condition: 1 of option_* and hash_value1 and hash_value_re and parent
35falsepositives:
36 - Unknown
37level: high
38tags:
39 - attack.t1136