SigmaHQ/rules/windows/builtin/win_pass_the_hash.yml

title: Pass the Hash Activity
id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
status: experimental
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
date: 2017/03/08
tags:
    - attack.lateral_movement
    - attack.t1075          # an old one
    - car.2016-04-004
    - attack.t1550.002
logsource:
    product: windows
    service: security
    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
detection:
    selection:
        - EventID: 4624
          LogonType: '3'
          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
        - EventID: 4625
          LogonType: '3'
          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
    filter:
        AccountName: 'ANONYMOUS LOGON'
    condition: selection and not filter
falsepositives:
    - Administrator activity
    - Penetration tests
level: medium
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Pass the Hash Activity`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: f8d98d6c-7a07-4d74-b064-dd4a3c244528`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`status: experimental`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`description: Detects the attack technique pass the hash which is used to move laterally inside the network`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/03/08`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.lateral_movement`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1075 # an old one`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2016-04-004`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1550.002`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`detection:`
			`selection:`
			`- EventID: 4624`
Fixed indentation 2020-06-16 21:01:13 +00:00			`LogonType: '3'`
			`LogonProcessName: 'NtLmSsp'`
			`WorkstationName: '%Workstations%'`
			`ComputerName: '%Workstations%'`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`- EventID: 4625`
Fixed indentation 2020-06-16 21:01:13 +00:00			`LogonType: '3'`
			`LogonProcessName: 'NtLmSsp'`
			`WorkstationName: '%Workstations%'`
			`ComputerName: '%Workstations%'`
improved win_pass_the_hash.yml rule — deleted useless KeyLength: '0' — added filter condition to exclude AccountName='ANONYMOUS LOGON', because of false positives [1] [1] http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win dows-event-log 2017-04-03 23:57:58 +00:00			`filter:`
			`AccountName: 'ANONYMOUS LOGON'`
			`condition: selection and not filter`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`falsepositives:`
			`- Administrator activity`
			`- Penetration tests`
Update win_pass_the_hash.yml 2017-03-13 15:16:34 +00:00			`level: medium`