5 Replies Latest reply on Oct 13, 2017 8:28 AM by andy777

    Pass-the-Hash Detection

    r_gine

      I'm trying to build a rule to detect 'Pass-the-Hash' activity in our enviroment. The rule itself is easy to build (Logic below for sanity check) but it seems that the SIEM is not parsing a key field (key length) required to more accurately detect PtH.

       

      Logic:

      Device Type ID = 43

      Signature ID = 43-263046240

      Domain != <Our Domain>

      Logon_Type = 3 - Network

      Object = ntlm

      Source User != ANONYMOUS LOGON

       

      The problem is that by not parsing the 'Key Length' field the rule is subject to a lot of RDP (key length 128) noise. Is there any way to update the parser to parse this specific field?