SigmaHQ/rules/windows/builtin/win_pass_the_hash_2.yml

36 lines
1.2 KiB
YAML
Raw Normal View History

title: Pass the Hash Activity 2
2019-11-12 22:12:27 +00:00
id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
2020-07-24 03:28:11 +00:00
status: stable
2019-11-12 22:12:27 +00:00
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
date: 2019/06/14
tags:
- attack.lateral_movement
- attack.t1075 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1550.002
logsource:
product: windows
service: security
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
detection:
selection:
- EventID: 4624
2020-06-16 21:01:13 +00:00
SubjectUserSid: 'S-1-0-0'
LogonType: '3'
LogonProcessName: 'NtLmSsp'
KeyLength: '0'
- EventID: 4624
2020-06-16 21:01:13 +00:00
LogonType: '9'
LogonProcessName: 'seclogo'
filter:
AccountName: 'ANONYMOUS LOGON'
condition: selection and not filter
falsepositives:
- Administrator activity
- Penetration tests
level: medium