- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pass the hash detection
johann2017
Explorer
04-02-2019
11:28 AM
Hello. Has anyone built a detection for pass the hash? I have windows local event logs and AD logs at my disposal...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
iamlordvoldemor
New Member
09-05-2019
11:10 AM
index=wineventlog Logon_Process=Seclogo Logon_Type!=2
secondary logon and non interactive logons are the primary indicators. Computer names are optional but are best left to alert on with suppression in place so it doesn't blow up your alerts.
Also, consider getting sysinternals from your end points as well; much more accurate and detailed alerts can be created for PTH, OPTH, PTT, and a lot more 🙂
hope it helps and hope I'm not talking out of my @$$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mmqt
Path Finder
09-05-2019
12:14 PM
based on a stealthebits blog, You want to look for event 4624, Logon type 9, Authentication Package = negotiate, Logon Process = seclogo
