Splunk Search

Pass the hash query review

kamil
Engager

Hello everyone

I'm trying to build search for Pass the Hash.
I've seen below article:
https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/

However in my environment there is no sysmon so i made this:

index=windows
signature_id=4624
Logon_Type=9
Logon_Process=seclogo
|transaction host endswith="EventCode=4672" maxevents=10

I'm not sure if I used transaction query in proper way. 

Thanks for suggestions!

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your transaction command is grammatically correct, but still may not work.  It depends on if the raw event contains the literal string "EventCode=4672" or not.  Check the data.

That said, a query that expects sysmon data may not work without sysmon as those events often contain information not found elsewhere.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...