Detect Activity Related to Pass the Hash Attacks

Name:Detect Activity Related to Pass the Hash Attacks
id:f5939373-8054-40ad-8c64-cec478a22a4b
version:8
date:2024-10-17
author:Bhavin Patel, Patrick Bareiss, Splunk
status:deprecated
type:Hunting
Description:This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts.
Data_source:

• -Windows Event Log Security 4624

search:`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_activity_related_to_pass_the_hash_attacks_filter`

how_to_implement:To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.
known_false_positives:Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Active Directory Lateral Movement'
    - 'BlackSuit Ransomware'
  asset_type:Endpoint
  confidence:70
  impact:70
  message:The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the pass the hash technique.
  mitre_attack_id:
    - 'T1550'
    - 'T1550.002'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'EventCode'
    - 'Logon_Type'
    - 'Logon_Process'
    - 'WorkstationName'
    - 'user'
    - 'dest'
  risk_score:49
  security_domain:access

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-security.log
  source: WinEventLog:Security
  sourcetype: WinEventLog
  update_timestamp: True
manual_test:None