T1550.002

Pass the Hash

Adversaries may 'pass the hash' using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to perform 'overpass the hash,' using the NTLM hash to create a valid Kerberos ticket for further lateral movement. Threat actors including APT28, APT32, APT41, Wizard Spider, FIN13, Chimera, and Kimsuky have all operationalized PtH using tools such as Mimikatz, Cobalt Strike, Invoke-SMBExec, Impacket, and CrackMapExec.

Microsoft Sentinel / Defender

kusto

let ExcludedAccounts = dynamic([
    "ANONYMOUS LOGON", "IUSR", "DWM-1", "DWM-2", "UMFD-0", "UMFD-1",
    "Window Manager", "Font Driver Host", "LOCAL SERVICE", "NETWORK SERVICE"
]);
// Branch 1: NTLM Network Logon (LogonType 3) to remote systems — classic PtH authentication pattern
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 3
| where AuthenticationPackageName =~ "NTLM"
| where AccountName !endswith "$"
| where AccountName !in~ (ExcludedAccounts)
| where IpAddress != "-" and IpAddress !in ("::1", "127.0.0.1", "")
| extend DetectionBranch = "NTLM_Network_Logon_PtH"
| extend ElevatedAccount = (ElevatedToken == "%%1842")
| extend NtlmVersion = LmPackageName
| project TimeGenerated, Computer, EventID, AccountName, AccountDomain,
          IpAddress, WorkstationName, LogonType, AuthenticationPackageName,
          NtlmVersion, DetectionBranch, ElevatedAccount
| union (
    // Branch 2: NewCredentials logon (LogonType 9) with NTLM — Mimikatz sekurlsa::pth /netonly signature
    // This logon type appears on the SOURCE machine when a process is spawned with injected credentials
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4624
    | where LogonType == 9
    | where AuthenticationPackageName =~ "NTLM"
    | where AccountName !endswith "$"
    | where AccountName !in~ (ExcludedAccounts)
    | extend DetectionBranch = "NewCredentials_Mimikatz_PtH"
    | extend ElevatedAccount = false
    | extend NtlmVersion = LmPackageName
    | project TimeGenerated, Computer, EventID, AccountName, AccountDomain,
              IpAddress = "", WorkstationName, LogonType, AuthenticationPackageName,
              NtlmVersion, DetectionBranch, ElevatedAccount
)
| union (
    // Branch 3: Suspicious LSASS process access — credential theft step preceding PtH
    // Access masks: 0x1010=VM_READ|QUERY_LIMITED, 0x1438=VM_READ|QUERY|VM_OP|DUP_HANDLE
    DeviceEvents
    | where Timestamp > ago(24h)
    | where ActionType == "OpenProcessApiCall"
    | where FileName =~ "lsass.exe"
    | where InitiatingProcessFileName !in~ (
        "MsMpEng.exe", "Taskmgr.exe", "procexp.exe", "procexp64.exe",
        "perfmon.exe", "WmiPrvSE.exe", "SecurityHealthService.exe",
        "svchost.exe", "csrss.exe", "wininit.exe", "lsm.exe"
    )
    | where RequestedPermissions in ("0x1010", "0x1438", "0x143a", "0x40", "0x1fffff")
    | extend DetectionBranch = "LSASS_Credential_Access_PrePtH"
    | extend ElevatedAccount = true
    | extend NtlmVersion = RequestedPermissions
    | project TimeGenerated = Timestamp, Computer = DeviceName, EventID = 10,
              AccountName, AccountDomain = "",
              IpAddress = "", WorkstationName = InitiatingProcessFileName,
              LogonType = -1, AuthenticationPackageName = "LSASS_ACCESS",
              NtlmVersion, DetectionBranch, ElevatedAccount
)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation User Account: User Account Authentication Windows Security Event Log Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceEvents

False Positives

Legitimate IT monitoring and management agents (Datadog, SolarWinds, PRTG) authenticating via NTLM when Kerberos SPN is not properly configured for the monitoring service account
Backup solutions (Veeam, Commvault, Veritas) using service accounts that fall back to NTLM when accessing remote file shares across domain boundaries or when Kerberos delegation is unavailable
Vulnerability scanners (Nessus, Qualys, Rapid7) performing credentialed NTLM authentication sweeps across network segments during authorized scan windows
Legacy applications and services with no Kerberos support that always use NTLM for authentication — particularly common with older line-of-business apps and some industrial control system software
Cross-domain or cross-forest authentication where no Kerberos trust is established, forcing legitimate NTLM fallback for users accessing resources in untrusted domains

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
    (Logon_Type=3 OR Logon_Type=9)
| rex field=_raw "Authentication Package:\s+(?P<AuthPackage>[^\r\n]+)"
| rex field=_raw "Account Name:\s+(?P<TargetAccount>[^\r\n]+)"
| rex field=_raw "Source Network Address:\s+(?P<SourceIP>[^\r\n]+)"
| rex field=_raw "Workstation Name:\s+(?P<SourceWorkstation>[^\r\n]+)"
| rex field=_raw "Package Name \(NTLM only\):\s+(?P<NtlmPackage>[^\r\n]+)"
| where match(AuthPackage, "(?i)NTLM")
| where NOT match(TargetAccount, "(?i)(\\$$|ANONYMOUS LOGON|IUSR|DWM-|UMFD-|LOCAL SERVICE|NETWORK SERVICE)")
| where SourceIP != "-" AND SourceIP != "::1" AND SourceIP != "127.0.0.1" AND SourceIP != ""
| eval DetectionBranch=case(
    Logon_Type="3", "NTLM_Network_Logon_Classic_PtH",
    Logon_Type="9", "NewCredentials_Mimikatz_PtH",
    true(), "Unknown"
)
| eval IsNTLMv1=if(match(NtlmPackage, "(?i)NTLM V1"), 1, 0)
| eval RiskScore=case(
    Logon_Type="9", 80,
    Logon_Type="3" AND IsNTLMv1=1, 70,
    Logon_Type="3", 60,
    true(), 40
)
| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
        TargetImage="*\\lsass.exe"
    | rex field=_raw "<GrantedAccess>(?P<GrantedAccess>[^<]+)<"
    | rex field=_raw "<SourceImage>(?P<SourceImage>[^<]+)<"
    | rex field=_raw "<User>(?P<LsassUser>[^<]+)<"
    | where match(GrantedAccess, "(0x1010|0x1438|0x143a|0x40|0x1fffff)")
    | where NOT match(SourceImage, "(?i)(MsMpEng\\.exe|Taskmgr\\.exe|procexp\\.exe|WmiPrvSE\\.exe|svchost\\.exe|csrss\\.exe|wininit\\.exe|SecurityHealthService\\.exe|perfmon\\.exe)")
    | eval TargetAccount=LsassUser, SourceIP="N/A", SourceWorkstation=SourceImage
    | eval AuthPackage="LSASS_ACCESS", NtlmPackage=GrantedAccess
    | eval DetectionBranch="LSASS_Credential_Access_PrePtH"
    | eval IsNTLMv1=0, RiskScore=85
]
| table _time, host, TargetAccount, SourceIP, SourceWorkstation, Logon_Type, AuthPackage, NtlmPackage, DetectionBranch, IsNTLMv1, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation User Account: User Account Authentication Windows Security Event Log Sysmon Event ID 10 (Process Access)

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate IT monitoring and management agents (Datadog, SolarWinds, PRTG) authenticating via NTLM when Kerberos SPN is not properly configured for the monitoring service account
Backup solutions (Veeam, Commvault, Veritas) using service accounts that fall back to NTLM when accessing remote file shares across domain boundaries or when Kerberos delegation is unavailable
Vulnerability scanners (Nessus, Qualys, Rapid7) performing credentialed NTLM authentication sweeps across network segments during authorized scan windows
Security and EDR agents that legitimately access LSASS process memory for monitoring, AV scanning, or credential guard enforcement purposes — these should be whitelisted by process name
Legacy applications and services with no Kerberos support that always use NTLM for network authentication, particularly common in mixed-OS or OT/ICS environments

Elastic Security (EQL)

eql

any where
  (
    event.code == "4624" and
    event.provider == "Microsoft-Windows-Security-Auditing" and
    winlog.event_data.LogonType in ("3", "9") and
    winlog.event_data.AuthenticationPackageName : "NTLM" and
    not winlog.event_data.TargetUserName : ("*$", "ANONYMOUS LOGON", "IUSR", "DWM-*", "UMFD-*", "LOCAL SERVICE", "NETWORK SERVICE", "Window Manager", "Font Driver Host") and
    winlog.event_data.IpAddress != null and
    not winlog.event_data.IpAddress in ("-", "::1", "127.0.0.1", "")
  ) or (
    event.code == "10" and
    event.provider == "Microsoft-Windows-Sysmon" and
    winlog.event_data.TargetImage : "*\\lsass.exe" and
    winlog.event_data.GrantedAccess in ("0x1010", "0x1438", "0x143a", "0x40", "0x1fffff") and
    not winlog.event_data.SourceImage : (
      "*\\MsMpEng.exe", "*\\Taskmgr.exe", "*\\procexp.exe", "*\\procexp64.exe",
      "*\\WmiPrvSE.exe", "*\\svchost.exe", "*\\csrss.exe", "*\\wininit.exe",
      "*\\SecurityHealthService.exe", "*\\perfmon.exe", "*\\lsm.exe"
    )
  )

high severity high confidence

Data Sources

Windows Security Event Log (Event ID 4624) Sysmon Event Log (Event ID 10 — Process Access)

Required Tables

winlogbeat-* logs-endpoint.events.authentication* .ds-logs-system.security* .ds-logs-windows.sysmon_operational*

False Positives

Legacy enterprise applications (e.g., older ERP or print management software) that force NTLM authentication over the network and generate Type 3 logons from service accounts — tune by excluding the specific source IPs or well-known service account names after baselining.
Administrators using 'runas /netonly' with domain credentials on a non-domain-joined workstation to access network resources generate LogonType 9 with NTLM; these are operationally legitimate but indistinguishable from Mimikatz pth /netonly without additional process ancestry context.
Endpoint security products, crash dump tooling (WER), and custom monitoring agents that legitimately open LSASS with broad access masks will trigger the LSASS branch — build and maintain an approved-binary allowlist by SHA256 hash in addition to filename exclusions, as filenames can be spoofed.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username AS account_name,
  sourceip AS source_ip,
  destinationip AS destination_ip,
  QIDNAME(qid) AS qradar_event_name,
  CASE
    WHEN eventid = 4624 AND "Logon Type" = '9' THEN 'NewCredentials_Mimikatz_PtH'
    WHEN eventid = 4624 AND "Logon Type" = '3' THEN 'NTLM_Network_Logon_PtH'
    WHEN eventid = 10                           THEN 'LSASS_Credential_Access_PrePtH'
    ELSE 'Unknown'
  END AS detection_branch,
  CASE
    WHEN eventid = 10                           THEN 85
    WHEN eventid = 4624 AND "Logon Type" = '9' THEN 80
    WHEN eventid = 4624 AND "Logon Type" = '3' THEN 65
    ELSE 40
  END AS risk_score
FROM events
WHERE
  starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      LOGSOURCETYPEID(devicetype) IN (12, 13)
      AND eventid = 4624
      AND "Logon Type" IN ('3', '9')
      AND LOWER("Authentication Package Name") LIKE '%ntlm%'
      AND username NOT LIKE '%$'
      AND username NOT IN (
        'ANONYMOUS LOGON', 'IUSR', 'LOCAL SERVICE', 'NETWORK SERVICE',
        'DWM-1', 'DWM-2', 'UMFD-0', 'UMFD-1'
      )
      AND sourceip IS NOT NULL
      AND sourceip NOT IN ('127.0.0.1', '::1', '-', '')
    )
    OR (
      eventid = 10
      AND LOWER("Target Image") LIKE '%\\lsass.exe'
      AND "Granted Access" IN ('0x1010', '0x1438', '0x143a', '0x40', '0x1fffff')
      AND LOWER("Source Image") NOT LIKE '%msmpeng.exe'
      AND LOWER("Source Image") NOT LIKE '%taskmgr.exe'
      AND LOWER("Source Image") NOT LIKE '%procexp%'
      AND LOWER("Source Image") NOT LIKE '%wmiprvse.exe'
      AND LOWER("Source Image") NOT LIKE '%svchost.exe'
      AND LOWER("Source Image") NOT LIKE '%csrss.exe'
      AND LOWER("Source Image") NOT LIKE '%wininit.exe'
      AND LOWER("Source Image") NOT LIKE '%securityhealthservice.exe'
      AND LOWER("Source Image") NOT LIKE '%perfmon.exe'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM, LOGSOURCETYPEID 12/13) Microsoft Windows Sysmon Event Log (QRadar DSM)

Required Tables

events

False Positives

Network file shares and DFS namespaces accessed via NTLM by domain service accounts will produce high volumes of Type 3 logon events — establish per-service-account NTLM baselines and suppress recurring source/destination IP pairs that match approved file server infrastructure.
IT admin workflows using PsExec or WMI with explicit credentials against remote hosts for maintenance tasks generate Type 3 NTLM logons that are operationally identical to PtH unless the originating process is correlated; correlate with parent process data from Sysmon Event 1 to distinguish.
QRadar custom property parsing failures or field-mapping mismatches in the DSM for multi-line Windows Security events can cause 'Logon Type' or 'Authentication Package Name' to appear null, leading to either false positives from unfiltered matches or false negatives — validate DSM property extraction with test events before deploying this detection as an active offense rule.

Sumo Logic CSE

sql

(_sourceCategory="windows/security" OR _sourceCategory="windows/sysmon" OR _sourceCategory="OS/Windows/Security" OR _sourceCategory="OS/Windows/Sysmon")
| where EventCode in ("4624", "10")
| parse regex "(?s)Logon Type:\s+(?<LogonType>\d+)" nodrop
| parse regex "(?s)Authentication Package Name:\s+(?<AuthPackage>[^\r\n]+)" nodrop
| parse regex "(?s)Account Name:\s+(?<TargetAccount>[^\r\n]+)" nodrop
| parse regex "(?s)Source Network Address:\s+(?<SourceIP>[^\r\n]+)" nodrop
| parse regex "(?s)Package Name \\(NTLM only\\):\s+(?<NtlmPackage>[^\r\n]+)" nodrop
| parse regex "<TargetImage>(?<TargetImage>[^<]+)<" nodrop
| parse regex "<GrantedAccess>(?<GrantedAccess>[^<]+)<" nodrop
| parse regex "<SourceImage>(?<SourceImage>[^<]+)<" nodrop
| where (
    (
      EventCode = "4624"
      AND (LogonType = "3" OR LogonType = "9")
      AND AuthPackage matches /(?i).*NTLM.*/
      AND !(TargetAccount matches /(?i)(.*\$|ANONYMOUS LOGON|IUSR|DWM-|UMFD-|LOCAL SERVICE|NETWORK SERVICE)/)
      AND SourceIP != "-"
      AND SourceIP != "127.0.0.1"
      AND SourceIP != "::1"
      AND SourceIP != ""
      AND SourceIP != null
    ) OR (
      EventCode = "10"
      AND TargetImage matches /(?i).*\\lsass\.exe$/
      AND GrantedAccess in ("0x1010", "0x1438", "0x143a", "0x40", "0x1fffff")
      AND !(SourceImage matches /(?i).*(MsMpEng|Taskmgr|procexp|procexp64|WmiPrvSE|svchost|csrss|wininit|SecurityHealthService|perfmon|lsm)\.exe/)
    )
  )
| eval DetectionBranch = if(EventCode = "10", "LSASS_Credential_Access_PrePtH",
    if(LogonType = "9", "NewCredentials_Mimikatz_PtH", "NTLM_Network_Logon_PtH"))
| eval RiskScore = if(EventCode = "10", 85, if(LogonType = "9", 80, 65))
| fields _messageTime, _sourceHost, TargetAccount, SourceIP, LogonType, AuthPackage, NtlmPackage, GrantedAccess, TargetImage, SourceImage, DetectionBranch, RiskScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Log (Event ID 4624) Sysmon Operational Event Log (Event ID 10)

Required Tables

windows/security (Sumo Logic source category) windows/sysmon (Sumo Logic source category)

False Positives

Windows Remote Management (WinRM) and PowerShell remoting sessions using NTLM authentication across trusted subnets generate Type 3 logons — create an allowlist of approved management jump-host IPs and suppress those source addresses to reduce noise from legitimate admin activity.
Backup agents (e.g., Veeam, Commvault) and antivirus scan engines that enumerate LSASS memory for shadow copy coordination or legitimate memory scanning will trigger the LSASS access branch — document and hash-allowlist these by binary path and version as part of your tuning baseline.
The 'Account Name' regex parser may extract the machine account name or the subject account name depending on Windows event field ordering when multiple 'Account Name:' labels appear in the same event — validate parsed field accuracy against raw events and adjust the parse anchor regex to target specifically 'Target Account Name:' for Event 4624 if false matches occur.

Google Chronicle / SecOps

yaral

rule t1550_002_pass_the_hash_ntlm_logon {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Pass the Hash via NTLM LogonType 3 (network) and LogonType 9 (Mimikatz sekurlsa::pth /netonly) on Windows hosts"
    severity = "HIGH"
    risk_score = "75"
    technique = "T1550.002"
    tactic = "TA0008"
    reference = "https://attack.mitre.org/techniques/T1550/002/"
    version = "1.0"
    false_positives = "Legacy NTLM apps, runas /netonly admin workflows"

  events:
    $e.metadata.product_event_type = "4624"
    $e.metadata.vendor_name = "Microsoft"
    (
      $e.target.resource.attribute.labels["Logon Type"] = "3" or
      $e.target.resource.attribute.labels["Logon Type"] = "9"
    )
    re.regex($e.network.application_protocol, `(?i)NTLM`)
    not re.regex($e.target.user.userid, `.*\$$`)
    not $e.target.user.userid in (
      "ANONYMOUS LOGON", "IUSR", "LOCAL SERVICE", "NETWORK SERVICE",
      "DWM-1", "DWM-2", "UMFD-0", "UMFD-1"
    )
    $e.principal.ip != ""
    not $e.principal.ip in ("127.0.0.1", "::1", "-")
    $hostname = $e.principal.hostname

  match:
    $hostname over 1h

  outcome:
    $risk_score = max(
      if($e.target.resource.attribute.labels["Logon Type"] = "9", 80, 65)
    )
    $detection_branch = array_distinct(
      if(
        $e.target.resource.attribute.labels["Logon Type"] = "9",
        "NewCredentials_Mimikatz_PtH",
        "NTLM_Network_Logon_PtH"
      )
    )
    $unique_source_ips = array_distinct($e.principal.ip)
    $event_count = count()

  condition:
    $e
}

rule t1550_002_lsass_credential_access_pre_pth {
  meta:
    author = "Argus Detection Platform"
    description = "Detects suspicious LSASS process access with credential-dumping access masks, representing the credential harvesting step that precedes Pass the Hash"
    severity = "CRITICAL"
    risk_score = "85"
    technique = "T1550.002"
    tactic = "TA0006"
    reference = "https://attack.mitre.org/techniques/T1550/002/"
    version = "1.0"
    false_positives = "AV/EDR engines, crash dump tooling, legitimate monitoring agents"

  events:
    $e.metadata.product_event_type = "10"
    $e.metadata.vendor_name = "Microsoft"
    re.regex($e.target.process.file.full_path, `(?i).*\\lsass\.exe$`)
    $e.target.resource.attribute.labels["GrantedAccess"] in (
      "0x1010", "0x1438", "0x143a", "0x40", "0x1fffff"
    )
    not re.regex(
      $e.principal.process.file.full_path,
      `(?i).*(MsMpEng|Taskmgr|procexp|procexp64|WmiPrvSE|svchost|csrss|wininit|SecurityHealthService|perfmon|lsm)\.exe$`
    )
    $hostname = $e.principal.hostname

  match:
    $hostname over 1h

  outcome:
    $risk_score = max(85)
    $detection_branch = array_distinct("LSASS_Credential_Access_PrePtH")
    $accessing_process = array_distinct($e.principal.process.file.full_path)
    $access_masks_seen = array_distinct($e.target.resource.attribute.labels["GrantedAccess"])
    $event_count = count()

  condition:
    $e
}

critical severity high confidence

Data Sources

Windows Security Event Log via Chronicle forwarder or Google Cloud Chronicle ingestion (Event ID 4624) Sysmon Operational Log via Chronicle forwarder (Event ID 10)

Required Tables

UDM events (Chronicle normalized event stream) Microsoft Windows log source (Chronicle ingestion pipeline)

False Positives

CrowdStrike Falcon and Microsoft Defender for Endpoint sensor processes that legitimately open LSASS for telemetry collection use access masks that overlap with dumping masks — these should be excluded by principal.process.file.full_path regex additions scoped to your specific EDR sensor binary paths and verified against your deployed EDR version.
Domain controllers performing Kerberos-to-NTLM downgrade for legacy client compatibility will generate bursts of Type 3 NTLM logons from many workstations to the DC IP — exclude the DC's IP in principal.ip if it appears as a source, or tighten to flag only lateral east-west movement (workstation-to-workstation).
Automated integration testing pipelines that authenticate against Windows services using NTLM in CI/CD environments will fire the Type 3 branch continuously during build runs — if a known CI runner IP range exists, add it to a reference list and use 'not $e.principal.ip in %ci_runner_ips' in the events block.

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("UserLogon", "OpenProcessApiCall")
| case {
    #event_simpleName = "UserLogon"
      | LogonType in (3, 9)
      | AuthenticationPackageName = /(?i)ntlm/
      | UserName != /.*\$$/
      | UserName not in (
          "ANONYMOUS LOGON", "IUSR", "LOCAL SERVICE",
          "NETWORK SERVICE", "DWM-1", "DWM-2", "UMFD-0", "UMFD-1"
        )
      | RemoteAddressIP4 != ""
      | RemoteAddressIP4 != "127.0.0.1"
      | RemoteAddressIP4 != "::1"
      | DetectionBranch := if(
          LogonType == 9,
          "NewCredentials_Mimikatz_PtH",
          "NTLM_Network_Logon_PtH"
        )
      | RiskScore := if(LogonType == 9, 80, 65) ;
    #event_simpleName = "OpenProcessApiCall"
      | TargetImageFileName = /(?i).*\\lsass\.exe$/
      | DesiredAccess in (
          "0x1010", "0x1438", "0x143a", "0x40", "0x1fffff"
        )
      | ImageFileName != /(?i).*(MsMpEng|Taskmgr|procexp|procexp64|WmiPrvSE|svchost|csrss|wininit|SecurityHealthService|perfmon|lsm)\.exe$/
      | DetectionBranch := "LSASS_Credential_Access_PrePtH"
      | RiskScore := 85
  }
| select(
    [
      ComputerName, UserName, UserDomain,
      RemoteAddressIP4, TargetImageFileName, ImageFileName,
      LogonType, AuthenticationPackageName, DesiredAccess,
      DetectionBranch, RiskScore
    ]
  )
| sort(order=desc, limit=1000)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection and Response (EDR) — UserLogon events CrowdStrike Falcon EDR — OpenProcessApiCall events (process access telemetry)

Required Tables

Falcon Data Replication stream (LogScale primary repository) #event_simpleName=UserLogon #event_simpleName=OpenProcessApiCall

False Positives

Falcon sensor self-updates and CrowdStrike diagnostic tooling (CSFalconService, CSAgent) may generate OpenProcessApiCall events against LSASS during telemetry initialization — the ImageFileName exclusion list should be extended with CrowdStrike's own sensor binary paths (e.g., C:\Windows\System32\drivers\CrowdStrike\*) after confirming via DesiredAccess that the access is not 0x1fffff.
Password management solutions (CyberArk PTA, Thycotic) and privileged access workstations that synchronize credentials via LSASS hooks will produce OpenProcessApiCall hits — correlate with the originating CommandLine from a joined ProcessRollup2 event on TargetProcessId to verify the credential sync workflow before suppressing.
Network authentication relay scenarios where a workstation authenticates to a local NAS or legacy print server via NTLM over the LAN will generate UserLogon Type 3 events with internal RFC1918 source IPs — if lateral movement is not a concern for those specific printer/NAS IPs, add them to a RemoteAddressIP4 exclusion set to reduce alert volume while retaining coverage for unexpected source IPs.

Last updated: 2026-04-20 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1550.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.001Application Access Token T1550.003Pass the Ticket T1550.004Web Session Cookie

Pass the Hash

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections