Pass the Hash Detection WinEventLog:Security srilankanmonkey 3 Comments Vote Up +22 Vote Down -26You already voted! index="wineventlog" ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package="NTLM" NOT Account_Domain=YOURDOMAIN NOT Account_Name="ANONYMOUS LOGON" Share This: Tagged: WindowsWindows Security PassTheHash Malware
David Veuve March 15, 2018 at 12:26 pm FYI, this detection does not really work anymore. It is based on legacy tools (old old old mimikatz), and hasn’t worked reliably in close to 3 years. Reply
Anup May 9, 2018 at 1:30 pm Its getting tougher with different modules of mimitakz and one of the issues around implementing & writing the query is the data source. Looking only at the event codes is not that helpful unless you can correlate with the endpoint logs. Reply
SplunkNinja November 14, 2018 at 2:47 pm Disclaimer to all viewers: I’m going to leave this query here, but take note to what David Veuve and Anup have said. Reply
FYI, this detection does not really work anymore. It is based on legacy tools (old old old mimikatz), and hasn’t worked reliably in close to 3 years.
Its getting tougher with different modules of mimitakz and one of the issues around implementing & writing the query is the data source. Looking only at the event codes is not that helpful unless you can correlate with the endpoint logs.
Disclaimer to all viewers: I’m going to leave this query here, but take note to what David Veuve and Anup have said.