Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Pass the hash detection

johann2017
Explorer
‎04-02-2019 11:28 AM

Hello. Has anyone built a detection for pass the hash? I have windows local event logs and AD logs at my disposal...

Tags (1)
Reply

iamlordvoldemor
New Member
‎09-05-2019 11:10 AM

index=wineventlog Logon_Process=Seclogo Logon_Type!=2

secondary logon and non interactive logons are the primary indicators. Computer names are optional but are best left to alert on with suppression in place so it doesn't blow up your alerts.

Also, consider getting sysinternals from your end points as well; much more accurate and detailed alerts can be created for PTH, OPTH, PTT, and a lot more 🙂

hope it helps and hope I'm not talking out of my @$$

0 Karma
Reply

mmqt
Path Finder
‎09-05-2019 12:14 PM

based on a stealthebits blog, You want to look for event 4624, Logon type 9, Authentication Package = negotiate, Logon Process = seclogo

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top