forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
investigate_pass_the_hash_attempts.yml
33 lines (33 loc) · 1.25 KB
/
investigate_pass_the_hash_attempts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
name: Investigate Pass the Hash Attempts
id: ed3fff45-cba6-4990-983f-6fac72bee659
version: 1
date: '2019-12-10'
author: Patrick Bareiss, Splunk
type: Investigation
datamodel: []
description: This search hunts for dumped NTLM hashes used for pass the hash.
search: '`wineventlog_security` EventCode=4624 Logon_Type=9 AuthenticationPackageName=Negotiate
| stats count earliest(_time) as first_login latest(_time) as last_login by src_user
dest | `security_content_ctime(first_login)` | `security_content_ctime(last_login)`
| search dest=$dest$'
how_to_implement: To successfully implement this search you need be ingesting windows
security logs. This search uses an input macro named `wineventlog_security`. We
strongly recommend that you specify your environment-specific configurations (index,
source, sourcetype, etc.) for Windows Security logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
known_false_positives: ''
references: []
tags:
analytic_story:
- Credential Dumping
product:
- Splunk Phantom
required_fields:
- _time
- EventCode
- Logon_Type
- AuthenticationPackageName
- src_user
- dest
security_domain: endpoint