SigmaHQ/rules/windows/builtin/win_overpass_the_hash.yml

title: Successful Overpass the Hash Attempt
status: experimental
description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
references: 
    - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
author: Roberto Rodriguez (source), Dominik Schaudel (rule)
date: 2018/02/12
tags:
    - attack.lateral_movement
    - attack.t1075
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
        LogonProcessName: seclogo
        AuthenticationPackageName: Negotiate
    condition: selection
falsepositives:
    - Runas command-line tool using /netonly parameter
level: high
Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 20:57:22 +00:00			`title: Successful Overpass the Hash Attempt`
			`status: experimental`
			`description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.`
			`references:`
			`- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html`
			`author: Roberto Rodriguez (source), Dominik Schaudel (rule)`
			`date: 2018/02/12`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.lateral_movement`
			`- attack.t1075`
Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module 2018-02-12 20:57:22 +00:00			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection:`
			`EventID: 4624`
			`LogonType: 9`
			`LogonProcessName: seclogo`
			`AuthenticationPackageName: Negotiate`
			`condition: selection`
			`falsepositives:`
			`- Runas command-line tool using /netonly parameter`
			`level: high`