Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Pass the Hash Detection

WinEventLog:Security

Description

Submitted by srilankanmonkey

22 26 
index="wineventlog" ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package="NTLM" NOT Account_Domain=YOURDOMAIN NOT Account_Name="ANONYMOUS LOGON"

Comments

3 total

DA
David Veuve
3/15/2018

FYI, this detection does not really work anymore. It is based on legacy tools (old old old mimikatz), and hasn't worked reliably in close to 3 years.

AN
Anup
5/9/2018

Its getting tougher with different modules of mimitakz and one of the issues around implementing & writing the query is the data source. Looking only at the event codes is not that helpful unless you can correlate with the endpoint logs.

SP
SplunkNinja
11/14/2018

Disclaimer to all viewers: I'm going to leave this query here, but take note to what David Veuve and Anup have said.

Leave a comment

You must log in to post a comment.

Ad slot: bottom