2018-02-12 20:57:22 +00:00
title : Successful Overpass the Hash Attempt
status : experimental
description : Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
references :
- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
author : Roberto Rodriguez (source), Dominik Schaudel (rule)
date : 2018 /02/12
2018-07-24 05:50:32 +00:00
tags :
- attack.lateral_movement
- attack.t1075
2018-09-20 10:44:44 +00:00
- attack.s0002
2018-02-12 20:57:22 +00:00
logsource :
product : windows
service : security
detection :
selection :
EventID : 4624
LogonType : 9
LogonProcessName : seclogo
AuthenticationPackageName : Negotiate
condition : selection
falsepositives :
- Runas command-line tool using /netonly parameter
2018-09-20 10:44:44 +00:00
level : high