SigmaHQ/rules/windows/builtin/win_pass_the_hash.yml

title: Pass the Hash Activity
status: experimental
description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'
references:
    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
tags:
    - attack.lateral_movement
    - attack.t1075
logsource:
    product: windows
    service: security
    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
detection:
    selection:
        - EventID: 4624
          LogonType: '3'
          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
        - EventID: 4625
          LogonType: '3'
          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
    filter:
        AccountName: 'ANONYMOUS LOGON'
    condition: selection and not filter
falsepositives:
    - Administrator activity
    - Penetration tests
level: medium
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Pass the Hash Activity`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`status: experimental`
Update win_pass_the_hash.yml 2017-03-08 19:35:26 +00:00			`description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.lateral_movement`
			`- attack.t1075`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`detection:`
			`selection:`
			`- EventID: 4624`
			`LogonType: '3'`
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename 2018-03-26 20:53:38 +00:00			`LogonProcessName: 'NtLmSsp'`
Changed values with placeholders to quoted strings Values beginning with % cause YAML parse error 2017-03-18 22:05:16 +00:00			`WorkstationName: '%Workstations%'`
			`ComputerName: '%Workstations%'`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`- EventID: 4625`
			`LogonType: '3'`
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename 2018-03-26 20:53:38 +00:00			`LogonProcessName: 'NtLmSsp'`
Changed values with placeholders to quoted strings Values beginning with % cause YAML parse error 2017-03-18 22:05:16 +00:00			`WorkstationName: '%Workstations%'`
			`ComputerName: '%Workstations%'`
improved win_pass_the_hash.yml rule — deleted useless KeyLength: '0' — added filter condition to exclude AccountName='ANONYMOUS LOGON', because of false positives [1] [1] http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win dows-event-log 2017-04-03 23:57:58 +00:00			`filter:`
			`AccountName: 'ANONYMOUS LOGON'`
			`condition: selection and not filter`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`falsepositives:`
			`- Administrator activity`
			`- Penetration tests`
Update win_pass_the_hash.yml 2017-03-13 15:16:34 +00:00			`level: medium`