cancel
Showing results for 
Search instead for 
Did you mean: 
r_gine
Level 9
Report Inappropriate Content
Message 1 of 9

Pass-the-Hash Detection

I'm trying to build a rule to detect 'Pass-the-Hash' activity in our enviroment. The rule itself is easy to build (Logic below for sanity check) but it seems that the SIEM is not parsing a key field (key length) required to more accurately detect PtH.

Logic:

Device Type ID = 43

Signature ID = 43-263046240

Domain != <Our Domain>

Logon_Type = 3 - Network

Object = ntlm

Source User != ANONYMOUS LOGON

The problem is that by not parsing the 'Key Length' field the rule is subject to a lot of RDP (key length 128) noise. Is there any way to update the parser to parse this specific field?

8 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Pass-the-Hash Detection

Discussion successfully moved from Community Support to Security Information and Event Management (SIEM)

For better support and better exposure.

Cliff
McAfee Volunteer
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 3 of 9

Re: Pass-the-Hash Detection

Request forwarded via internal channels.

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Pass-the-Hash Detection

Thanks again Andy

Cliff
McAfee Volunteer
r_gine
Level 9
Report Inappropriate Content
Message 5 of 9

Re: Pass-the-Hash Detection

Any word back on this?

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Pass-the-Hash Detection

Nothing that I've seen. Make sure your system regularly pulling down new rules from the rules server and hopefully it will pop up soon.

r_gine
Level 9
Report Inappropriate Content
Message 7 of 9

Re: Pass-the-Hash Detection

A year + has gone by and no updates... 

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Pass-the-Hash Detection

You Could filter out RDP traffic by:

Logon Type - not in - 10 Remotinteractive

Not sure i'm exactly correct in the Case sensetivity

so double check the letters and etc.

but i think thes the general way for solution

 

Best regards👍👍👍

David

r_gine
Level 9
Report Inappropriate Content
Message 9 of 9

Re: Pass-the-Hash Detection

Were already matching on network login. Not sure excluding remote login would be of any value
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community