Archive

How to Detect Pass the Hash

Explorer

Hello there! I am trying to build a Splunk alert to detect Pass the Hash. In another post it was recommended to try using the searches below. I tested out the searches but they yield some false positives. I wanted to re-post here and see if anyone has any other other recommendations besides the searches below?

index=wineventlog EventCode=4624 Logon_Type=9 Authentication_Package=Negotiate Logon_Process=seclogo

index=wineventlog Logon_Process=Seclogo Logon_Type!=2

Tags (1)
0 Karma

New Member

working on the same thing, just want to share some ideas.

index=wineventlog EventCode=4624 Logon_Type=9 Authentication_Package=Negotiate Logon_Process=seclogo
index=wineventlog Logon_Process=Seclogo Logon_Type!=2

I recommend you read this first:
https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/

According to this article, you can see the "logon_type=9"and "Logon_Process=seclogo" will show up in the event log of the source host.
I did some PTH POC and I agree with this article.
Imagine a users laptop was compromised, he is trying PTH everywhere in your network.
Usually we don't collect wineventlog on a laptop right? So this rule won't fire in this scenario.

My observation is, if a PTH is success in your network, you will see 3 winevent log on the target host at the SAME TIME (eventcode=4672+eventcode=4624+eventcode=5140)
Try write a search based on this idea?
The defect is, the rule will fire only when the PTH is already success, can't detection PTH attempt.
That's all i have man...Please let me know your method if this is been resolved!

0 Karma

Ultra Champion

for (eventcode=4672+eventcode=4624+eventcode=5140) occurs same time

 index=wineventlog (EventCode=4624 OR EventCode=4624 OR EventCode=5140) Authentication_Package=Negotiate 
| eval time = _time
| bin span=1s time
| stats dc(EventCode) as EventCode_count by host time
| rename time as _time
| where EventCode_count =3

Ultra Champion

HOW TO DETECT PASS-THE-HASH ATTACKS

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID='4624')]
      and
     EventData[Data[@Name='LogonType']='9']
      and
     EventData[Data[@Name='LogonProcessName']='seclogo']
     and
     EventData[Data[@Name='AuthenticationPackageName']='Negotiate']
     ]
     </Select>
  </Query>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
    *[System[(EventID=10)]]
    and
    *[EventData[Data[@Name='GrantedAccess'] and (Data='0x1010' or Data='0x1038')]]
</Select>
  </Query>
</QueryList>

Microsoft-Windows-Sysmon/Operational is necessary when considering from the cited article.

0 Karma

Explorer

Hello! Is this syntax something I need to add to my inputs.conf or what? I am not 100% clear where to implement this... thanks!

0 Karma

Ultra Champion

This is an XPATH query written on HP.
Therefore, it cannot be used as it is.
If you have the sourcetype XmlWinEventLog: Microsoft-Windows-Sysmon / Operational ,

check this

0 Karma