From e4d764ceba5e46fe8c7d777275e1f1ac0e644351 Mon Sep 17 00:00:00 2001 From: IeM Date: Wed, 8 Mar 2017 18:04:31 +0100 Subject: [PATCH 1/5] Create win_pass_the_hash.yml Rule to detects the attack technique pass the hash which is used to move laterally inside the network --- rules/windows/builtin/win_pass_the_hash.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/windows/builtin/win_pass_the_hash.yml diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml new file mode 100644 index 000000000..ef3adbca1 --- /dev/null +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -0,0 +1,20 @@ +title: Detects Pass the hash Activity +status: experimental +description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' +reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events +author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) +logsource: + product: windows + service: security + description: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 +detection: + selection: + - EventID: 4624 + LogonType: '3' + - EventID: 4625 + LogonType: '3' + condition: selection +falsepositives: + - Administrator activity + - Penetration tests +level: high From 381b85fd9445df3998eb06025aace1df9f105a38 Mon Sep 17 00:00:00 2001 From: IeM Date: Wed, 8 Mar 2017 18:48:06 +0100 Subject: [PATCH 2/5] Update win_pass_the_hash.yml Edited, added additional indicators. Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/ --- rules/windows/builtin/win_pass_the_hash.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index ef3adbca1..52a5e5462 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -1,6 +1,6 @@ title: Detects Pass the hash Activity status: experimental -description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' +description: 'Detects the attack technique to move laterally inside the network' reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) logsource: @@ -11,8 +11,12 @@ detection: selection: - EventID: 4624 LogonType: '3' + LogonProcess: 'NtLmSsp' + KeyLength: '0' - EventID: 4625 LogonType: '3' + LogonProcess: 'NtLmSsp' + KeyLength: '0' condition: selection falsepositives: - Administrator activity From 4d5ded46e69a324ade524129d59a81d621bb82c1 Mon Sep 17 00:00:00 2001 From: IeM Date: Wed, 8 Mar 2017 20:35:26 +0100 Subject: [PATCH 3/5] Update win_pass_the_hash.yml --- rules/windows/builtin/win_pass_the_hash.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index 52a5e5462..3eb4b47ea 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -1,6 +1,6 @@ title: Detects Pass the hash Activity status: experimental -description: 'Detects the attack technique to move laterally inside the network' +description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) logsource: From 9f5e5a236677c8e9f4c94d93f66d16408d6c930e Mon Sep 17 00:00:00 2001 From: IeM Date: Mon, 13 Mar 2017 16:09:32 +0100 Subject: [PATCH 4/5] Update win_pass_the_hash.yml Added placeholders for WorkstationName to detect network logons between Workstations. --- rules/windows/builtin/win_pass_the_hash.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index 3eb4b47ea..a740d71ad 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -13,10 +13,12 @@ detection: LogonType: '3' LogonProcess: 'NtLmSsp' KeyLength: '0' + WorkstationName: %Workstations% - EventID: 4625 LogonType: '3' LogonProcess: 'NtLmSsp' KeyLength: '0' + WorkstationName: %Workstations% condition: selection falsepositives: - Administrator activity From a66955013cb9246a172e8d400fe1126654d9101f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Mar 2017 16:16:34 +0100 Subject: [PATCH 5/5] Update win_pass_the_hash.yml --- rules/windows/builtin/win_pass_the_hash.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index a740d71ad..c6a361cca 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -1,4 +1,4 @@ -title: Detects Pass the hash Activity +title: Detects Pass the Hash Activity status: experimental description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events @@ -14,13 +14,15 @@ detection: LogonProcess: 'NtLmSsp' KeyLength: '0' WorkstationName: %Workstations% + ComputerName: %Workstations% - EventID: 4625 LogonType: '3' LogonProcess: 'NtLmSsp' KeyLength: '0' WorkstationName: %Workstations% + ComputerName: %Workstations% condition: selection falsepositives: - Administrator activity - Penetration tests -level: high +level: medium