I'm trying to build a rule to detect 'Pass-the-Hash' activity in our enviroment. The rule itself is easy to build (Logic below for sanity check) but it seems that the SIEM is not parsing a key field (key length) required to more accurately detect PtH.
Device Type ID = 43
Signature ID = 43-263046240
Domain != <Our Domain>
Logon_Type = 3 - Network
Object = ntlm
Source User != ANONYMOUS LOGON
The problem is that by not parsing the 'Key Length' field the rule is subject to a lot of RDP (key length 128) noise. Is there any way to update the parser to parse this specific field?
You Could filter out RDP traffic by:
Logon Type - not in - 10 Remotinteractive
Not sure i'm exactly correct in the Case sensetivity
so double check the letters and etc.
but i think thes the general way for solution