The successful use of Pass The Hash for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.

ATT&CK Detection

Technique Tactic Level of Coverage
Pass the Hash Lateral Movement Moderate

Pseudocode

This analytic will look for remote logins, using a non domain login, from one host to another, using NTL authentication where the account is not “ANONYMOUS LOGON”

EventCode == 4624 and [target_user_name] != "ANONYMOUS LOGON" and
[authentication_package_name] == "NTLM"

Unit Tests

Test Case 1:

  • Configurations: Windows 7
  • Requirements: Administrator account
  • Description: First, create a new user. Then, logon to the host with that new user. This is generate the event.
  • Commands:
    > net user 'test' 'test' /add # Creates the user
    

Data Model References

Object Action Field
usersession local logontype