Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumstable

Pass the Hash Activity 2

Detects the attack technique pass the hash which is used to move laterally inside the network

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Dave Kennedy, Jeff Warren (method) / David VassalloCreated Fri Jun 14Updated Wed Oct 058eef149c-bd26-49f2-9e5a-9b00e3af499bwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The successful use of PtH for lateral movement between workstations would trigger event ID 4624

Detection Logic
Detection Logic3 selectors
detection:
    selection_logon3:
        EventID: 4624
        SubjectUserSid: 'S-1-0-0'
        LogonType: 3
        LogonProcessName: 'NtLmSsp'
        KeyLength: 0
    selection_logon9:
        EventID: 4624
        LogonType: 9
        LogonProcessName: 'seclogo'
    filter:
        TargetUserName: 'ANONYMOUS LOGON'
    condition: 1 of selection_* and not filter
False Positives

Administrator activity

References
1
Resolving title…
github.com
2
Resolving title…
web.archive.org
3
Resolving title…
blog.stealthbits.com
MITRE ATT&CK
Rule Metadata
Rule ID
8eef149c-bd26-49f2-9e5a-9b00e3af499b
Status
stable
Level
medium
Type
Detection
Created
Fri Jun 14
Modified
Wed Oct 05
Author
Dave Kennedy, Jeff Warren (method) / David Vassallo
Path
rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml
Raw Tags
attack.defense-evasionattack.lateral-movementattack.t1550.002
View on GitHub