cancel
Showing results for 
Search instead for 
Did you mean: 
r_gine
Level 9
Report Inappropriate Content
Message 1 of 9

Pass-the-Hash Detection

I'm trying to build a rule to detect 'Pass-the-Hash' activity in our enviroment. The rule itself is easy to build (Logic below for sanity check) but it seems that the SIEM is not parsing a key field (key length) required to more accurately detect PtH.

Logic:

Device Type ID = 43

Signature ID = 43-263046240

Domain != <Our Domain>

Logon_Type = 3 - Network

Object = ntlm

Source User != ANONYMOUS LOGON

The problem is that by not parsing the 'Key Length' field the rule is subject to a lot of RDP (key length 128) noise. Is there any way to update the parser to parse this specific field?

8 Replies
catdaddy Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Pass-the-Hash Detection

Discussion successfully moved from Community Support to Security Information and Event Management (SIEM)

For better support and better exposure.

Cliff
McAfee Volunteer
andy777 McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 9

Re: Pass-the-Hash Detection

Request forwarded via internal channels.

catdaddy Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Pass-the-Hash Detection

Thanks again Andy

Cliff
McAfee Volunteer
r_gine
Level 9
Report Inappropriate Content
Message 5 of 9

Re: Pass-the-Hash Detection

Any word back on this?

andy777 McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Pass-the-Hash Detection

Nothing that I've seen. Make sure your system regularly pulling down new rules from the rules server and hopefully it will pop up soon.

r_gine
Level 9
Report Inappropriate Content
Message 7 of 9

Re: Pass-the-Hash Detection

A year + has gone by and no updates... 

David1111 Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Pass-the-Hash Detection

You Could filter out RDP traffic by:

Logon Type - not in - 10 Remotinteractive

Not sure i'm exactly correct in the Case sensetivity

so double check the letters and etc.

but i think thes the general way for solution

 

Best regards👍👍👍

David

r_gine
Level 9
Report Inappropriate Content
Message 9 of 9

Re: Pass-the-Hash Detection

Were already matching on network login. Not sure excluding remote login would be of any value
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community