Detect Pass the Hash in CrowdStrike LogScale
Adversaries may 'pass the hash' using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to perform 'overpass the hash,' using the NTLM hash to create a valid Kerberos ticket for further lateral movement. Threat actors including APT28, APT32, APT41, Wizard Spider, FIN13, Chimera, and Kimsuky have all operationalized PtH using tools such as Mimikatz, Cobalt Strike, Invoke-SMBExec, Impacket, and CrackMapExec.
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Sub-technique
- T1550.002 Pass the Hash
- Canonical reference
- https://attack.mitre.org/techniques/T1550/002/
LogScale Detection Query
#event_simpleName in ("UserLogon", "OpenProcessApiCall")
| case {
#event_simpleName = "UserLogon"
| LogonType in (3, 9)
| AuthenticationPackageName = /(?i)ntlm/
| UserName != /.*\$$/
| UserName not in (
"ANONYMOUS LOGON", "IUSR", "LOCAL SERVICE",
"NETWORK SERVICE", "DWM-1", "DWM-2", "UMFD-0", "UMFD-1"
)
| RemoteAddressIP4 != ""
| RemoteAddressIP4 != "127.0.0.1"
| RemoteAddressIP4 != "::1"
| DetectionBranch := if(
LogonType == 9,
"NewCredentials_Mimikatz_PtH",
"NTLM_Network_Logon_PtH"
)
| RiskScore := if(LogonType == 9, 80, 65) ;
#event_simpleName = "OpenProcessApiCall"
| TargetImageFileName = /(?i).*\\lsass\.exe$/
| DesiredAccess in (
"0x1010", "0x1438", "0x143a", "0x40", "0x1fffff"
)
| ImageFileName != /(?i).*(MsMpEng|Taskmgr|procexp|procexp64|WmiPrvSE|svchost|csrss|wininit|SecurityHealthService|perfmon|lsm)\.exe$/
| DetectionBranch := "LSASS_Credential_Access_PrePtH"
| RiskScore := 85
}
| select(
[
ComputerName, UserName, UserDomain,
RemoteAddressIP4, TargetImageFileName, ImageFileName,
LogonType, AuthenticationPackageName, DesiredAccess,
DetectionBranch, RiskScore
]
)
| sort(order=desc, limit=1000)CrowdStrike Falcon LogScale (Humio) query using a case-branch structure to handle two Falcon telemetry event types in a single query. The UserLogon branch detects NTLM-authenticated network logons (LogonType 3 — classic PtH) and NewCredentials logons (LogonType 9 — Mimikatz sekurlsa::pth /netonly), filtering machine accounts, known service identities, and loopback addresses. The OpenProcessApiCall branch detects LSASS memory access with access masks associated with credential dumping tools (Mimikatz, lsass dump via procdump), excluding known-safe system and security processes. Field names reference CrowdStrike Falcon Data Replication (FDR) schema — 'DesiredAccess' maps to the granted access mask in OpenProcessApiCall events. Deploy as a Scheduled Query alert or Real-Time Alert rule in LogScale with a 15-minute window and threshold of 1.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor self-updates and CrowdStrike diagnostic tooling (CSFalconService, CSAgent) may generate OpenProcessApiCall events against LSASS during telemetry initialization — the ImageFileName exclusion list should be extended with CrowdStrike's own sensor binary paths (e.g., C:\Windows\System32\drivers\CrowdStrike\*) after confirming via DesiredAccess that the access is not 0x1fffff.
- Password management solutions (CyberArk PTA, Thycotic) and privileged access workstations that synchronize credentials via LSASS hooks will produce OpenProcessApiCall hits — correlate with the originating CommandLine from a joined ProcessRollup2 event on TargetProcessId to verify the credential sync workflow before suppressing.
- Network authentication relay scenarios where a workstation authenticates to a local NAS or legacy print server via NTLM over the LAN will generate UserLogon Type 3 events with internal RFC1918 source IPs — if lateral movement is not a concern for those specific printer/NAS IPs, add them to a RemoteAddressIP4 exclusion set to reduce alert volume while retaining coverage for unexpected source IPs.
Other platforms for T1550.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz sekurlsa::pth Hash Injection
Expected signal: Sysmon Event ID 10: mimikatz.exe accessing lsass.exe with GrantedAccess 0x1438. Sysmon Event ID 1: cmd.exe spawned with ParentImage=mimikatz.exe, showing abnormal parent-child relationship. Security Event ID 4624 on the local machine with LogonType=9 (NewCredentials) and AuthenticationPackageName=NTLM when the injected cmd.exe makes its first outbound connection. Security Event ID 4624 on any target system accessed from the injected session shows LogonType=3 with NTLM.
- Test 2Invoke-SMBExec Pass the Hash Lateral Movement
Expected signal: Security Event ID 4624 on target (192.168.1.10): LogonType=3, AuthenticationPackageName=NTLM — primary PtH authentication event. Sysmon Event ID 3 on source: outbound TCP connection to 192.168.1.10:445. Security Event ID 7045 on target: new service installed with random 7-character name and ImagePath pointing to cmd.exe. Sysmon Event ID 1 on target: cmd.exe spawned by the transient service process.
- Test 3Impacket psexec.py Pass the Hash from Linux
Expected signal: Security Event ID 4624 on Windows target: LogonType=3, AuthenticationPackageName=NTLM, IpAddress=<Linux attacker IP> — source IP being non-Windows is a high-fidelity indicator. Security Event ID 7045: new service named 'PSEXESVC' or randomly named service installed on target. Sysmon Event ID 1 on target: cmd.exe spawned by the installed Impacket service. Network captures show SMB NTLM authentication with challenge-response originating from a Linux host.
- Test 4CrackMapExec Pass the Hash Subnet Sweep
Expected signal: Multiple Security Event ID 4624 (LogonType=3, AuthenticationPackageName=NTLM) on each host in the subnet that responds — all originating from the same attacker source IP in rapid succession. Security Event ID 4625 (failed logon, LogonType=3, NTLM) on hosts where the hash is invalid. High volume of authentication events from a single source IP in a short window creates a clear spike in the SecurityEvent table.
References (11)
- https://attack.mitre.org/techniques/T1550/002/
- https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
- https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
- https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md
- https://www.mandiant.com/resources/blog/fin13-a-cybercriminal-threat-actor-focused-on-mexico
- https://www.mandiant.com/resources/reports/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a
- https://github.com/SecureAuthCorp/impacket
- https://github.com/Kevin-Robertson/Invoke-TheHash
Unlock Pro Content
Get the full detection package for T1550.002 including response playbook, investigation guide, and atomic red team tests.