From d7443d71a4fa0a44dceb157e24569290508eb28e Mon Sep 17 00:00:00 2001
From: David Vassallo <davevassallo@gmail.com>
Date: Fri, 14 Jun 2019 18:08:36 +0300
Subject: [PATCH] Create win_pass_the_hash_2.yml

alternative detection methods
---
 rules/windows/builtin/win_pass_the_hash_2.yml | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 rules/windows/builtin/win_pass_the_hash_2.yml

diff --git a/rules/windows/builtin/win_pass_the_hash_2.yml b/rules/windows/builtin/win_pass_the_hash_2.yml
new file mode 100644
index 000000000..c943d2a13
--- /dev/null
+++ b/rules/windows/builtin/win_pass_the_hash_2.yml
@@ -0,0 +1,32 @@
+title: Pass the Hash Activity
+status: production
+description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'
+references:
+    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+    - https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
+    - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
+author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
+tags:
+    - attack.lateral_movement
+    - attack.t1075
+logsource:
+    product: windows
+    service: security
+    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
+detection:
+    selection:
+        - EventID: 4624
+          SecurityID: 'NULL SID'
+          LogonType: '3'
+          LogonProcessName: 'NtLmSsp'
+          KeyLength: '0'
+        - EventID: 4624
+          LogonType: '9'
+          LogonProcessName: 'seclogo'
+    filter:
+        AccountName: 'ANONYMOUS LOGON'
+    condition: selection and not filter
+falsepositives:
+    - Administrator activity
+    - Penetration tests
+level: medium