2018-01-27 09:57:30 +00:00
title : Pass the Hash Activity
2019-11-12 22:12:27 +00:00
id : f8d98d6c-7a07-4d74-b064-dd4a3c244528
2017-03-08 17:04:31 +00:00
status : experimental
2019-11-12 22:12:27 +00:00
description : Detects the attack technique pass the hash which is used to move laterally inside the network
2018-01-27 23:24:16 +00:00
references :
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
2017-03-08 17:04:31 +00:00
author : Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
2020-01-30 15:07:37 +00:00
date : 2017 /03/08
2018-07-24 05:50:32 +00:00
tags :
- attack.lateral_movement
- attack.t1075
2019-06-14 04:15:38 +00:00
- car.2016-04-004
2017-03-08 17:04:31 +00:00
logsource :
product : windows
service : security
2018-11-15 06:00:06 +00:00
definition : The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
2017-03-08 17:04:31 +00:00
detection :
selection :
- EventID : 4624
LogonType : '3'
2018-03-26 20:53:38 +00:00
LogonProcessName : 'NtLmSsp'
2017-03-18 22:05:16 +00:00
WorkstationName : '%Workstations%'
ComputerName : '%Workstations%'
2017-03-08 17:04:31 +00:00
- EventID : 4625
LogonType : '3'
2018-03-26 20:53:38 +00:00
LogonProcessName : 'NtLmSsp'
2017-03-18 22:05:16 +00:00
WorkstationName : '%Workstations%'
ComputerName : '%Workstations%'
2017-04-03 23:57:58 +00:00
filter :
AccountName : 'ANONYMOUS LOGON'
condition : selection and not filter
2017-03-08 17:04:31 +00:00
falsepositives :
- Administrator activity
- Penetration tests
2017-03-13 15:16:34 +00:00
level : medium