I'm trying to build a rule to detect 'Pass-the-Hash' activity in our enviroment. The rule itself is easy to build (Logic below for sanity check) but it seems that the SIEM is not parsing a key field (key length) required to more accurately detect PtH.
Device Type ID = 43
Signature ID = 43-263046240
Domain != <Our Domain>
Logon_Type = 3 - Network
Object = ntlm
Source User != ANONYMOUS LOGON
The problem is that by not parsing the 'Key Length' field the rule is subject to a lot of RDP (key length 128) noise. Is there any way to update the parser to parse this specific field?
You Could filter out RDP traffic by:
Logon Type - not in - 10 Remotinteractive
Not sure i'm exactly correct in the Case sensetivity
so double check the letters and etc.
but i think thes the general way for solution
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center