Splunk Search

How to Detect Pass the Hash

johann2017
Explorer

Hello there! I am trying to build a Splunk alert to detect Pass the Hash. In another post it was recommended to try using the searches below. I tested out the searches but they yield some false positives. I wanted to re-post here and see if anyone has any other other recommendations besides the searches below?

index=wineventlog EventCode=4624 Logon_Type=9 Authentication_Package=Negotiate Logon_Process=seclogo

index=wineventlog Logon_Process=Seclogo Logon_Type!=2

Tags (1)
0 Karma

jiangzhaohua
New Member

working on the same thing, just want to share some ideas.

index=wineventlog EventCode=4624 Logon_Type=9 Authentication_Package=Negotiate Logon_Process=seclogo
index=wineventlog Logon_Process=Seclogo Logon_Type!=2

I recommend you read this first:
https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/

According to this article, you can see the "logon_type=9"and "Logon_Process=seclogo" will show up in the event log of the source host.
I did some PTH POC and I agree with this article.
Imagine a users laptop was compromised, he is trying PTH everywhere in your network.
Usually we don't collect wineventlog on a laptop right? So this rule won't fire in this scenario.

My observation is, if a PTH is success in your network, you will see 3 winevent log on the target host at the SAME TIME (eventcode=4672+eventcode=4624+eventcode=5140)
Try write a search based on this idea?
The defect is, the rule will fire only when the PTH is already success, can't detection PTH attempt.
That's all i have man...Please let me know your method if this is been resolved!

0 Karma

to4kawa
Ultra Champion

for (eventcode=4672+eventcode=4624+eventcode=5140) occurs same time

 index=wineventlog (EventCode=4624 OR EventCode=4624 OR EventCode=5140) Authentication_Package=Negotiate 
| eval time = _time
| bin span=1s time
| stats dc(EventCode) as EventCode_count by host time
| rename time as _time
| where EventCode_count =3

to4kawa
Ultra Champion

HOW TO DETECT PASS-THE-HASH ATTACKS

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID='4624')]
      and
     EventData[Data[@Name='LogonType']='9']
      and
     EventData[Data[@Name='LogonProcessName']='seclogo']
     and
     EventData[Data[@Name='AuthenticationPackageName']='Negotiate']
     ]
     </Select>
  </Query>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
    *[System[(EventID=10)]]
    and
    *[EventData[Data[@Name='GrantedAccess'] and (Data='0x1010' or Data='0x1038')]]
</Select>
  </Query>
</QueryList>

Microsoft-Windows-Sysmon/Operational is necessary when considering from the cited article.

0 Karma

johann2017
Explorer

Hello! Is this syntax something I need to add to my inputs.conf or what? I am not 100% clear where to implement this... thanks!

0 Karma

to4kawa
Ultra Champion

This is an XPATH query written on HP.
Therefore, it cannot be used as it is.
If you have the sourcetype XmlWinEventLog: Microsoft-Windows-Sysmon / Operational ,

check this

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...