SigmaHQ/rules/windows/builtin/win_pass_the_hash.yml

title: Detects Pass the Hash Activity
status: experimental
description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'
reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
logsource:
    product: windows
    service: security
    description: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
detection:
    selection:
        - EventID: 4624
          LogonType: '3'
          LogonProcess: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
        - EventID: 4625
          LogonType: '3'
          LogonProcess: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
    filter:
        AccountName: 'ANONYMOUS LOGON'
    condition: selection and not filter
falsepositives:
    - Administrator activity
    - Penetration tests
level: medium
Update win_pass_the_hash.yml 2017-03-13 15:16:34 +00:00			`title: Detects Pass the Hash Activity`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`status: experimental`
Update win_pass_the_hash.yml 2017-03-08 19:35:26 +00:00			`description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events`
			`author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)`
			`logsource:`
			`product: windows`
			`service: security`
			`description: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625`
			`detection:`
			`selection:`
			`- EventID: 4624`
			`LogonType: '3'`
Update win_pass_the_hash.yml Edited, added additional indicators. Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/ 2017-03-08 17:48:06 +00:00			`LogonProcess: 'NtLmSsp'`
Changed values with placeholders to quoted strings Values beginning with % cause YAML parse error 2017-03-18 22:05:16 +00:00			`WorkstationName: '%Workstations%'`
			`ComputerName: '%Workstations%'`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`- EventID: 4625`
			`LogonType: '3'`
Update win_pass_the_hash.yml Edited, added additional indicators. Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/ 2017-03-08 17:48:06 +00:00			`LogonProcess: 'NtLmSsp'`
Changed values with placeholders to quoted strings Values beginning with % cause YAML parse error 2017-03-18 22:05:16 +00:00			`WorkstationName: '%Workstations%'`
			`ComputerName: '%Workstations%'`
improved win_pass_the_hash.yml rule — deleted useless KeyLength: '0' — added filter condition to exclude AccountName='ANONYMOUS LOGON', because of false positives [1] [1] http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win dows-event-log 2017-04-03 23:57:58 +00:00			`filter:`
			`AccountName: 'ANONYMOUS LOGON'`
			`condition: selection and not filter`
Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network 2017-03-08 17:04:31 +00:00			`falsepositives:`
			`- Administrator activity`
			`- Penetration tests`
Update win_pass_the_hash.yml 2017-03-13 15:16:34 +00:00			`level: medium`