working on the same thing, just want to share some ideas.
index=wineventlog EventCode=4624 Logon_Type=9 Authentication_Package=Negotiate Logon_Process=seclogo
index=wineventlog Logon_Process=Seclogo Logon_Type!=2
I recommend you read this first:
https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
According to this article, you can see the "logon_type=9"and "Logon_Process=seclogo" will show up in the event log of the source host.
I did some PTH POC and I agree with this article.
Imagine a users laptop was compromised, he is trying PTH everywhere in your network.
Usually we don't collect wineventlog on a laptop right? So this rule won't fire in this scenario.
My observation is, if a PTH is success in your network, you will see 3 winevent log on the target host at the SAME TIME (eventcode=4672+eventcode=4624+eventcode=5140)
Try write a search based on this idea?
The defect is, the rule will fire only when the PTH is already success, can't detection PTH attempt.
That's all i have man...Please let me know your method if this is been resolved!
... View more