sigmahighHunting

Successful Overpass the Hash Attempt

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

MITRE ATT&CK

S0002 T1550.002

defense-evasionlateral-movement

Detection Query

selection:
  EventID: 4624
  LogonType: 9
  LogonProcessName: seclogo
  AuthenticationPackageName: Negotiate
condition: selection

Author

Roberto Rodriguez (source), Dominik Schaudel (rule)

Created

2018-02-12

Data Sources

windowssecurity

Platforms

windows

References

https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html

Tags

attack.defense-evasionattack.lateral-movementattack.s0002attack.t1550.002

Raw Content

title: Successful Overpass the Hash Attempt
id: 192a0330-c20b-4356-90b6-7b7049ae0b87
status: test
description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
references:
    - https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html
author: Roberto Rodriguez (source), Dominik Schaudel (rule)
date: 2018-02-12
modified: 2021-11-27
tags:
    - attack.defense-evasion
    - attack.lateral-movement
    - attack.s0002
    - attack.t1550.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
        LogonProcessName: seclogo
        AuthenticationPackageName: Negotiate
    condition: selection
falsepositives:
    - Runas command-line tool using /netonly parameter
level: high