The successful use of Pass The Hash for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.
|Technique||Tactic||Level of Coverage|
|Pass the Hash||Lateral Movement||Moderate|
This analytic will look for remote logins, using a non domain login, from one host to another, using NTL authentication where the account is not “ANONYMOUS LOGON”
EventCode == 4624 and [target_user_name] != "ANONYMOUS LOGON" and [authentication_package_name] == "NTLM"
Test Case 1:
- Configurations: Windows 7
- Requirements: Administrator account
- Description: First, create a new user. Then, logon to the host with that new user. This is generate the event.
> net user 'test' 'test' /add # Creates the user
Data Model References