SigmaHQ/rules/windows/builtin/win_pass_the_hash.yml

36 lines
1.2 KiB
YAML
Raw Normal View History

2018-01-27 09:57:30 +00:00
title: Pass the Hash Activity
2019-11-12 22:12:27 +00:00
id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
status: experimental
2019-11-12 22:12:27 +00:00
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
date: 2017/03/08
2018-07-24 05:50:32 +00:00
tags:
- attack.lateral_movement
- attack.t1075
2019-06-14 04:15:38 +00:00
- car.2016-04-004
logsource:
product: windows
service: security
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
detection:
selection:
- EventID: 4624
LogonType: '3'
LogonProcessName: 'NtLmSsp'
WorkstationName: '%Workstations%'
ComputerName: '%Workstations%'
- EventID: 4625
LogonType: '3'
LogonProcessName: 'NtLmSsp'
WorkstationName: '%Workstations%'
ComputerName: '%Workstations%'
filter:
AccountName: 'ANONYMOUS LOGON'
condition: selection and not filter
falsepositives:
- Administrator activity
- Penetration tests
2017-03-13 15:16:34 +00:00
level: medium