Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Detect Pass the Hash

johann2017
Explorer
‎11-19-2019 01:05 PM

Hello there! I am trying to build a Splunk alert to detect Pass the Hash. In another post it was recommended to try using the searches below. I tested out the searches but they yield some false positives. I wanted to re-post here and see if anyone has any other other recommendations besides the searches below?

index=wineventlog EventCode=4624 Logon_Type=9 Authentication_Package=Negotiate Logon_Process=seclogo

index=wineventlog Logon_Process=Seclogo Logon_Type!=2

Tags (1)
0 Karma
Reply

jiangzhaohua
New Member
‎02-28-2020 07:15 AM

working on the same thing, just want to share some ideas.

index=wineventlog EventCode=4624 Logon_Type=9 Authentication_Package=Negotiate Logon_Process=seclogo
index=wineventlog Logon_Process=Seclogo Logon_Type!=2

I recommend you read this first:
https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/

According to this article, you can see the "logon_type=9"and "Logon_Process=seclogo" will show up in the event log of the source host.
I did some PTH POC and I agree with this article.
Imagine a users laptop was compromised, he is trying PTH everywhere in your network.
Usually we don't collect wineventlog on a laptop right? So this rule won't fire in this scenario.

My observation is, if a PTH is success in your network, you will see 3 winevent log on the target host at the SAME TIME (eventcode=4672+eventcode=4624+eventcode=5140)
Try write a search based on this idea?
The defect is, the rule will fire only when the PTH is already success, can't detection PTH attempt.
That's all i have man...Please let me know your method if this is been resolved!

0 Karma
Reply

to4kawa
Ultra Champion
‎02-28-2020 10:29 AM

for (eventcode=4672+eventcode=4624+eventcode=5140) occurs same time

 index=wineventlog (EventCode=4624 OR EventCode=4624 OR EventCode=5140) Authentication_Package=Negotiate 
| eval time = _time
| bin span=1s time
| stats dc(EventCode) as EventCode_count by host time
| rename time as _time
| where EventCode_count =3
Reply

to4kawa
Ultra Champion
‎11-23-2019 06:57 PM

HOW TO DETECT PASS-THE-HASH ATTACKS

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID='4624')]
      and
     EventData[Data[@Name='LogonType']='9']
      and
     EventData[Data[@Name='LogonProcessName']='seclogo']
     and
     EventData[Data[@Name='AuthenticationPackageName']='Negotiate']
     ]
     </Select>
  </Query>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
    *[System[(EventID=10)]]
    and
    *[EventData[Data[@Name='GrantedAccess'] and (Data='0x1010' or Data='0x1038')]]
</Select>
  </Query>
</QueryList>

Microsoft-Windows-Sysmon/Operational is necessary when considering from the cited article.

0 Karma
Reply

johann2017
Explorer
‎11-25-2019 09:50 AM

Hello! Is this syntax something I need to add to my inputs.conf or what? I am not 100% clear where to implement this... thanks!

0 Karma
Reply

to4kawa
Ultra Champion
‎11-25-2019 10:17 AM

This is an XPATH query written on HP.
Therefore, it cannot be used as it is.
If you have the sourcetype XmlWinEventLog: Microsoft-Windows-Sysmon / Operational ,

check this

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...