cancel
Showing results for 
Search instead for 
Did you mean: 
r_gine
Level 9
Report Inappropriate Content
Message 1 of 9

Pass-the-Hash Detection

I'm trying to build a rule to detect 'Pass-the-Hash' activity in our enviroment. The rule itself is easy to build (Logic below for sanity check) but it seems that the SIEM is not parsing a key field (key length) required to more accurately detect PtH.

Logic:

Device Type ID = 43

Signature ID = 43-263046240

Domain != <Our Domain>

Logon_Type = 3 - Network

Object = ntlm

Source User != ANONYMOUS LOGON

The problem is that by not parsing the 'Key Length' field the rule is subject to a lot of RDP (key length 128) noise. Is there any way to update the parser to parse this specific field?

8 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Pass-the-Hash Detection

Discussion successfully moved from Community Support to Security Information and Event Management (SIEM)

For better support and better exposure.

Cliff
McAfee Volunteer
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 3 of 9

Re: Pass-the-Hash Detection

Request forwarded via internal channels.

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Pass-the-Hash Detection

Thanks again Andy

Cliff
McAfee Volunteer
r_gine
Level 9
Report Inappropriate Content
Message 5 of 9

Re: Pass-the-Hash Detection

Any word back on this?

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Pass-the-Hash Detection

Nothing that I've seen. Make sure your system regularly pulling down new rules from the rules server and hopefully it will pop up soon.

r_gine
Level 9
Report Inappropriate Content
Message 7 of 9

Re: Pass-the-Hash Detection

A year + has gone by and no updates... 

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Pass-the-Hash Detection

You Could filter out RDP traffic by:

Logon Type - not in - 10 Remotinteractive

Not sure i'm exactly correct in the Case sensetivity

so double check the letters and etc.

but i think thes the general way for solution

 

Best regards👍👍👍

David

r_gine
Level 9
Report Inappropriate Content
Message 9 of 9

Re: Pass-the-Hash Detection

Were already matching on network login. Not sure excluding remote login would be of any value
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator