This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-10-15
- Author: Bhavin Patel, Patrick Bareiss, Splunk
- ID: f5939373-8054-40ad-8c64-cec478a22a4b
|T1550.002||Pass the Hash||Defense Evasion, Lateral Movement|
`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp WorkstationName=WORKSTATION NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`
Associated Analytic Story
How To Implement
To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.
Kill Chain Phase
- Actions on Objectives
Known False Positives
Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.
|49.0||70||70||The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the pass the hash technique.|
source | version: 5