title: Pass the Hash Activity
author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
date: 2017/03/08
description: Detects the attack technique pass the hash which is used to move laterally
  inside the network
detection:
  SELECTION_1:
    EventID: 4624
  SELECTION_2:
    EventID: 4625
  SELECTION_3:
    LogonType: '3'
  SELECTION_4:
    LogonProcessName: NtLmSsp
  SELECTION_5:
    WorkstationName: '%Workstations%'
  SELECTION_6:
    ComputerName: '%Workstations%'
  SELECTION_7:
    AccountName: ANONYMOUS LOGON
  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5
    and SELECTION_6) and  not (SELECTION_7))
falsepositives:
- Administrator activity
- Penetration tests
id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
level: medium
logsource:
  definition: The successful use of PtH for lateral movement between workstations
    would trigger event ID 4624, a failed logon attempt would trigger an event ID
    4625
  product: windows
  service: security
references:
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
status: experimental
tags:
- attack.lateral_movement
- attack.t1075
- car.2016-04-004
- attack.t1550.002
ruletype: SIGMA