cancel
Showing results for 
Search instead for 
Did you mean: 
r_gine
Level 7

Pass-the-Hash Detection

I'm trying to build a rule to detect 'Pass-the-Hash' activity in our enviroment. The rule itself is easy to build (Logic below for sanity check) but it seems that the SIEM is not parsing a key field (key length) required to more accurately detect PtH.

Logic:

Device Type ID = 43

Signature ID = 43-263046240

Domain != <Our Domain>

Logon_Type = 3 - Network

Object = ntlm

Source User != ANONYMOUS LOGON

The problem is that by not parsing the 'Key Length' field the rule is subject to a lot of RDP (key length 128) noise. Is there any way to update the parser to parse this specific field?

0 Kudos
5 Replies
catdaddy
Level 20

Re: Pass-the-Hash Detection

Discussion successfully moved from Community Support to Security Information and Event Management (SIEM)

For better support and better exposure.

Cliff
McAfee Volunteer
0 Kudos
McAfee Employee

Re: Pass-the-Hash Detection

Request forwarded via internal channels.

0 Kudos
catdaddy
Level 20

Re: Pass-the-Hash Detection

Thanks again Andy

Cliff
McAfee Volunteer
0 Kudos
r_gine
Level 7

Re: Pass-the-Hash Detection

Any word back on this?

0 Kudos
McAfee Employee

Re: Pass-the-Hash Detection

Nothing that I've seen. Make sure your system regularly pulling down new rules from the rules server and hopefully it will pop up soon.

0 Kudos