Techniques
Sample rules
Detect Activity Related to Pass the Hash Attacks
- source: splunk
- technicques:
- T1550
- T1550.002
Description
This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts.
Detection logic
`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_activity_related_to_pass_the_hash_attacks_filter`