title: Successful Overpass the Hash Attempt status: experimental description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. references: - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html author: Roberto Rodriguez (source), Dominik Schaudel (rule) date: 2018/02/12 tags: - attack.lateral_movement - attack.t1075 logsource: product: windows service: security detection: selection: EventID: 4624 LogonType: 9 LogonProcessName: seclogo AuthenticationPackageName: Negotiate condition: selection falsepositives: - Runas command-line tool using /netonly parameter level: high