Splunk Search

Pass the hash query review


Hello everyone

I'm trying to build search for Pass the Hash.
I've seen below article:

However in my environment there is no sysmon so i made this:

|transaction host endswith="EventCode=4672" maxevents=10

I'm not sure if I used transaction query in proper way. 

Thanks for suggestions!

Labels (2)
0 Karma


Your transaction command is grammatically correct, but still may not work.  It depends on if the raw event contains the literal string "EventCode=4672" or not.  Check the data.

That said, a query that expects sysmon data may not work without sysmon as those events often contain information not found elsewhere.

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...