T1550.002 Google Chronicle · YARA-L

Detect Pass the Hash in Google Chronicle

Adversaries may 'pass the hash' using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to perform 'overpass the hash,' using the NTLM hash to create a valid Kerberos ticket for further lateral movement. Threat actors including APT28, APT32, APT41, Wizard Spider, FIN13, Chimera, and Kimsuky have all operationalized PtH using tools such as Mimikatz, Cobalt Strike, Invoke-SMBExec, Impacket, and CrackMapExec.

MITRE ATT&CK

Tactic
Defense Evasion Lateral Movement
Technique
T1550 Use Alternate Authentication Material
Sub-technique
T1550.002 Pass the Hash
Canonical reference
https://attack.mitre.org/techniques/T1550/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1550_002_pass_the_hash_ntlm_logon {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Pass the Hash via NTLM LogonType 3 (network) and LogonType 9 (Mimikatz sekurlsa::pth /netonly) on Windows hosts"
    severity = "HIGH"
    risk_score = "75"
    technique = "T1550.002"
    tactic = "TA0008"
    reference = "https://attack.mitre.org/techniques/T1550/002/"
    version = "1.0"
    false_positives = "Legacy NTLM apps, runas /netonly admin workflows"

  events:
    $e.metadata.product_event_type = "4624"
    $e.metadata.vendor_name = "Microsoft"
    (
      $e.target.resource.attribute.labels["Logon Type"] = "3" or
      $e.target.resource.attribute.labels["Logon Type"] = "9"
    )
    re.regex($e.network.application_protocol, `(?i)NTLM`)
    not re.regex($e.target.user.userid, `.*\$$`)
    not $e.target.user.userid in (
      "ANONYMOUS LOGON", "IUSR", "LOCAL SERVICE", "NETWORK SERVICE",
      "DWM-1", "DWM-2", "UMFD-0", "UMFD-1"
    )
    $e.principal.ip != ""
    not $e.principal.ip in ("127.0.0.1", "::1", "-")
    $hostname = $e.principal.hostname

  match:
    $hostname over 1h

  outcome:
    $risk_score = max(
      if($e.target.resource.attribute.labels["Logon Type"] = "9", 80, 65)
    )
    $detection_branch = array_distinct(
      if(
        $e.target.resource.attribute.labels["Logon Type"] = "9",
        "NewCredentials_Mimikatz_PtH",
        "NTLM_Network_Logon_PtH"
      )
    )
    $unique_source_ips = array_distinct($e.principal.ip)
    $event_count = count()

  condition:
    $e
}

rule t1550_002_lsass_credential_access_pre_pth {
  meta:
    author = "Argus Detection Platform"
    description = "Detects suspicious LSASS process access with credential-dumping access masks, representing the credential harvesting step that precedes Pass the Hash"
    severity = "CRITICAL"
    risk_score = "85"
    technique = "T1550.002"
    tactic = "TA0006"
    reference = "https://attack.mitre.org/techniques/T1550/002/"
    version = "1.0"
    false_positives = "AV/EDR engines, crash dump tooling, legitimate monitoring agents"

  events:
    $e.metadata.product_event_type = "10"
    $e.metadata.vendor_name = "Microsoft"
    re.regex($e.target.process.file.full_path, `(?i).*\\lsass\.exe$`)
    $e.target.resource.attribute.labels["GrantedAccess"] in (
      "0x1010", "0x1438", "0x143a", "0x40", "0x1fffff"
    )
    not re.regex(
      $e.principal.process.file.full_path,
      `(?i).*(MsMpEng|Taskmgr|procexp|procexp64|WmiPrvSE|svchost|csrss|wininit|SecurityHealthService|perfmon|lsm)\.exe$`
    )
    $hostname = $e.principal.hostname

  match:
    $hostname over 1h

  outcome:
    $risk_score = max(85)
    $detection_branch = array_distinct("LSASS_Credential_Access_PrePtH")
    $accessing_process = array_distinct($e.principal.process.file.full_path)
    $access_masks_seen = array_distinct($e.target.resource.attribute.labels["GrantedAccess"])
    $event_count = count()

  condition:
    $e
}
critical severity high confidence

Two YARA-L 2.0 rules for Google Chronicle Security Operations (SIEM). Rule 1 targets UDM USER_LOGIN events derived from Windows Security Event 4624, matching NTLM authentication with LogonType 3 or 9 while excluding service accounts and loopback sources; outcome section computes risk score and detection branch per event group. Rule 2 targets Sysmon Event 10 (process access) in UDM, matching LSASS as the target process with known credential-dumping access masks and excluding legitimate system processes via regex on the initiating process path. Both rules match over a 1-hour window per hostname and surface aggregated context (unique source IPs, event count, access masks) to the Chronicle detection findings panel.

Data Sources

Windows Security Event Log via Chronicle forwarder or Google Cloud Chronicle ingestion (Event ID 4624)Sysmon Operational Log via Chronicle forwarder (Event ID 10)

Required Tables

UDM events (Chronicle normalized event stream)Microsoft Windows log source (Chronicle ingestion pipeline)

False Positives & Tuning

  • CrowdStrike Falcon and Microsoft Defender for Endpoint sensor processes that legitimately open LSASS for telemetry collection use access masks that overlap with dumping masks — these should be excluded by principal.process.file.full_path regex additions scoped to your specific EDR sensor binary paths and verified against your deployed EDR version.
  • Domain controllers performing Kerberos-to-NTLM downgrade for legacy client compatibility will generate bursts of Type 3 NTLM logons from many workstations to the DC IP — exclude the DC's IP in principal.ip if it appears as a source, or tighten to flag only lateral east-west movement (workstation-to-workstation).
  • Automated integration testing pipelines that authenticate against Windows services using NTLM in CI/CD environments will fire the Type 3 branch continuously during build runs — if a known CI runner IP range exists, add it to a reference list and use 'not $e.principal.ip in %ci_runner_ips' in the events block.
Download portable Sigma rule (.yml)

Other platforms for T1550.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz sekurlsa::pth Hash Injection

    Expected signal: Sysmon Event ID 10: mimikatz.exe accessing lsass.exe with GrantedAccess 0x1438. Sysmon Event ID 1: cmd.exe spawned with ParentImage=mimikatz.exe, showing abnormal parent-child relationship. Security Event ID 4624 on the local machine with LogonType=9 (NewCredentials) and AuthenticationPackageName=NTLM when the injected cmd.exe makes its first outbound connection. Security Event ID 4624 on any target system accessed from the injected session shows LogonType=3 with NTLM.

  2. Test 2Invoke-SMBExec Pass the Hash Lateral Movement

    Expected signal: Security Event ID 4624 on target (192.168.1.10): LogonType=3, AuthenticationPackageName=NTLM — primary PtH authentication event. Sysmon Event ID 3 on source: outbound TCP connection to 192.168.1.10:445. Security Event ID 7045 on target: new service installed with random 7-character name and ImagePath pointing to cmd.exe. Sysmon Event ID 1 on target: cmd.exe spawned by the transient service process.

  3. Test 3Impacket psexec.py Pass the Hash from Linux

    Expected signal: Security Event ID 4624 on Windows target: LogonType=3, AuthenticationPackageName=NTLM, IpAddress=<Linux attacker IP> — source IP being non-Windows is a high-fidelity indicator. Security Event ID 7045: new service named 'PSEXESVC' or randomly named service installed on target. Sysmon Event ID 1 on target: cmd.exe spawned by the installed Impacket service. Network captures show SMB NTLM authentication with challenge-response originating from a Linux host.

  4. Test 4CrackMapExec Pass the Hash Subnet Sweep

    Expected signal: Multiple Security Event ID 4624 (LogonType=3, AuthenticationPackageName=NTLM) on each host in the subnet that responds — all originating from the same attacker source IP in rapid succession. Security Event ID 4625 (failed logon, LogonType=3, NTLM) on hosts where the hash is invalid. High volume of authentication events from a single source IP in a short window creates a clear spike in the SecurityEvent table.

Last updated: 2026-04-20 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1550.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.001Application Access TokenT1550.003Pass the TicketT1550.004Web Session Cookie

Related Techniques

T1003.001LSASS MemoryT1550Use Alternate Authentication MaterialT1550.003Pass the TicketT1021.002SMB/Windows Admin SharesT1021.001Remote Desktop ProtocolT1569.002Service ExecutionT1078Valid AccountsT1562.001Disable or Modify ToolsT1134.001Token Impersonation/TheftT1558.001Golden Ticket

Same Tactic: Defense Evasion

Popular Detections