← Back to Explore
sigmamediumTTP
Pass the Hash Activity 2
Detects the attack technique pass the hash which is used to move laterally inside the network
Detection Query
selection_logon3:
EventID: 4624
SubjectUserSid: S-1-0-0
LogonType: 3
LogonProcessName: NtLmSsp
KeyLength: 0
selection_logon9:
EventID: 4624
LogonType: 9
LogonProcessName: seclogo
filter:
TargetUserName: ANONYMOUS LOGON
condition: 1 of selection_* and not filter
Author
Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
Created
2019-06-14
Data Sources
windowssecurity
Platforms
windows
References
Tags
attack.defense-evasionattack.lateral-movementattack.t1550.002
Raw Content
title: Pass the Hash Activity 2
id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
status: stable
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
date: 2019-06-14
modified: 2022-10-05
tags:
- attack.defense-evasion
- attack.lateral-movement
- attack.t1550.002
logsource:
product: windows
service: security
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
detection:
selection_logon3:
EventID: 4624
SubjectUserSid: 'S-1-0-0'
LogonType: 3
LogonProcessName: 'NtLmSsp'
KeyLength: 0
selection_logon9:
EventID: 4624
LogonType: 9
LogonProcessName: 'seclogo'
filter:
TargetUserName: 'ANONYMOUS LOGON'
condition: 1 of selection_* and not filter
falsepositives:
- Administrator activity
level: medium