Detectionhightest

Successful Overpass the Hash Attempt

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), Dominik SchaudelCreated Mon Feb 12Updated Sat Nov 27192a0330-c20b-4356-90b6-7b7049ae0b87windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4624
        LogonType: 9
        LogonProcessName: seclogo
        AuthenticationPackageName: Negotiate
    condition: selection

False Positives

Runas command-line tool using /netonly parameter

References

Resolving title…

web.archive.org

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0008 · Lateral Movement

Sub-techniques

T1550.002 · Pass the Hash

Software

S0002 · Mimikatz

Rule Metadata

Rule ID

192a0330-c20b-4356-90b6-7b7049ae0b87

Status

test

Level

high

Type

Detection

Created

Mon Feb 12

Modified

Sat Nov 27

Author

Roberto Rodriguez (Cyb3rWard0g), Dominik Schaudel

Path

rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml

Raw Tags

attack.defense-evasionattack.lateral-movementattack.s0002attack.t1550.002

View on GitHub