SigmaHQ/rules/windows/builtin/win_overpass_the_hash.yml
2018-07-24 07:50:32 +02:00

23 lines
768 B
YAML

title: Successful Overpass the Hash Attempt
status: experimental
description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
references:
- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
author: Roberto Rodriguez (source), Dominik Schaudel (rule)
date: 2018/02/12
tags:
- attack.lateral_movement
- attack.t1075
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 9
LogonProcessName: seclogo
AuthenticationPackageName: Negotiate
condition: selection
falsepositives:
- Runas command-line tool using /netonly parameter
level: high