Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Detect Pass the Hash

johann2017
Explorer
‎11-19-2019 01:05 PM

Hello there! I am trying to build a Splunk alert to detect Pass the Hash. In another post it was recommended to try using the searches below. I tested out the searches but they yield some false positives. I wanted to re-post here and see if anyone has any other other recommendations besides the searches below?

index=wineventlog EventCode=4624 Logon_Type=9 Authentication_Package=Negotiate Logon_Process=seclogo

index=wineventlog Logon_Process=Seclogo Logon_Type!=2

Tags (1)
0 Karma
Reply

jiangzhaohua
New Member
‎02-28-2020 07:15 AM

working on the same thing, just want to share some ideas.

index=wineventlog EventCode=4624 Logon_Type=9 Authentication_Package=Negotiate Logon_Process=seclogo
index=wineventlog Logon_Process=Seclogo Logon_Type!=2

I recommend you read this first:
https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/

According to this article, you can see the "logon_type=9"and "Logon_Process=seclogo" will show up in the event log of the source host.
I did some PTH POC and I agree with this article.
Imagine a users laptop was compromised, he is trying PTH everywhere in your network.
Usually we don't collect wineventlog on a laptop right? So this rule won't fire in this scenario.

My observation is, if a PTH is success in your network, you will see 3 winevent log on the target host at the SAME TIME (eventcode=4672+eventcode=4624+eventcode=5140)
Try write a search based on this idea?
The defect is, the rule will fire only when the PTH is already success, can't detection PTH attempt.
That's all i have man...Please let me know your method if this is been resolved!

0 Karma
Reply

to4kawa
Ultra Champion
‎02-28-2020 10:29 AM

for (eventcode=4672+eventcode=4624+eventcode=5140) occurs same time

 index=wineventlog (EventCode=4624 OR EventCode=4624 OR EventCode=5140) Authentication_Package=Negotiate 
| eval time = _time
| bin span=1s time
| stats dc(EventCode) as EventCode_count by host time
| rename time as _time
| where EventCode_count =3
Reply

to4kawa
Ultra Champion
‎11-23-2019 06:57 PM

HOW TO DETECT PASS-THE-HASH ATTACKS

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID='4624')]
      and
     EventData[Data[@Name='LogonType']='9']
      and
     EventData[Data[@Name='LogonProcessName']='seclogo']
     and
     EventData[Data[@Name='AuthenticationPackageName']='Negotiate']
     ]
     </Select>
  </Query>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
    *[System[(EventID=10)]]
    and
    *[EventData[Data[@Name='GrantedAccess'] and (Data='0x1010' or Data='0x1038')]]
</Select>
  </Query>
</QueryList>

Microsoft-Windows-Sysmon/Operational is necessary when considering from the cited article.

0 Karma
Reply

johann2017
Explorer
‎11-25-2019 09:50 AM

Hello! Is this syntax something I need to add to my inputs.conf or what? I am not 100% clear where to implement this... thanks!

0 Karma
Reply

to4kawa
Ultra Champion
‎11-25-2019 10:17 AM

This is an XPATH query written on HP.
Therefore, it cannot be used as it is.
If you have the sourcetype XmlWinEventLog: Microsoft-Windows-Sysmon / Operational ,

check this

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...