Detect Pass the Hash in IBM QRadar
Adversaries may 'pass the hash' using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to perform 'overpass the hash,' using the NTLM hash to create a valid Kerberos ticket for further lateral movement. Threat actors including APT28, APT32, APT41, Wizard Spider, FIN13, Chimera, and Kimsuky have all operationalized PtH using tools such as Mimikatz, Cobalt Strike, Invoke-SMBExec, Impacket, and CrackMapExec.
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Sub-technique
- T1550.002 Pass the Hash
- Canonical reference
- https://attack.mitre.org/techniques/T1550/002/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
username AS account_name,
sourceip AS source_ip,
destinationip AS destination_ip,
QIDNAME(qid) AS qradar_event_name,
CASE
WHEN eventid = 4624 AND "Logon Type" = '9' THEN 'NewCredentials_Mimikatz_PtH'
WHEN eventid = 4624 AND "Logon Type" = '3' THEN 'NTLM_Network_Logon_PtH'
WHEN eventid = 10 THEN 'LSASS_Credential_Access_PrePtH'
ELSE 'Unknown'
END AS detection_branch,
CASE
WHEN eventid = 10 THEN 85
WHEN eventid = 4624 AND "Logon Type" = '9' THEN 80
WHEN eventid = 4624 AND "Logon Type" = '3' THEN 65
ELSE 40
END AS risk_score
FROM events
WHERE
starttime > (CURRENT_TIMESTAMP - 86400000)
AND (
(
LOGSOURCETYPEID(devicetype) IN (12, 13)
AND eventid = 4624
AND "Logon Type" IN ('3', '9')
AND LOWER("Authentication Package Name") LIKE '%ntlm%'
AND username NOT LIKE '%$'
AND username NOT IN (
'ANONYMOUS LOGON', 'IUSR', 'LOCAL SERVICE', 'NETWORK SERVICE',
'DWM-1', 'DWM-2', 'UMFD-0', 'UMFD-1'
)
AND sourceip IS NOT NULL
AND sourceip NOT IN ('127.0.0.1', '::1', '-', '')
)
OR (
eventid = 10
AND LOWER("Target Image") LIKE '%\\lsass.exe'
AND "Granted Access" IN ('0x1010', '0x1438', '0x143a', '0x40', '0x1fffff')
AND LOWER("Source Image") NOT LIKE '%msmpeng.exe'
AND LOWER("Source Image") NOT LIKE '%taskmgr.exe'
AND LOWER("Source Image") NOT LIKE '%procexp%'
AND LOWER("Source Image") NOT LIKE '%wmiprvse.exe'
AND LOWER("Source Image") NOT LIKE '%svchost.exe'
AND LOWER("Source Image") NOT LIKE '%csrss.exe'
AND LOWER("Source Image") NOT LIKE '%wininit.exe'
AND LOWER("Source Image") NOT LIKE '%securityhealthservice.exe'
AND LOWER("Source Image") NOT LIKE '%perfmon.exe'
)
)
ORDER BY starttime DESCAQL query targeting QRadar Windows Security Event Log log sources (LOGSOURCETYPEID 12/13 — Microsoft Windows Security Event Log) for Event ID 4624 with NTLM authentication and LogonType 3 or 9, and Sysmon Event ID 10 for LSASS process access with credential-dumping access masks. The query uses QRadar custom properties for 'Logon Type', 'Authentication Package Name', 'Target Image', 'Granted Access', and 'Source Image' — these must be defined as custom event properties in the QRadar DSM Editor and mapped to the Windows Security and Sysmon log sources prior to deployment. Risk scores are computed inline to support QRadar offense correlation rules.
Data Sources
Required Tables
False Positives & Tuning
- Network file shares and DFS namespaces accessed via NTLM by domain service accounts will produce high volumes of Type 3 logon events — establish per-service-account NTLM baselines and suppress recurring source/destination IP pairs that match approved file server infrastructure.
- IT admin workflows using PsExec or WMI with explicit credentials against remote hosts for maintenance tasks generate Type 3 NTLM logons that are operationally identical to PtH unless the originating process is correlated; correlate with parent process data from Sysmon Event 1 to distinguish.
- QRadar custom property parsing failures or field-mapping mismatches in the DSM for multi-line Windows Security events can cause 'Logon Type' or 'Authentication Package Name' to appear null, leading to either false positives from unfiltered matches or false negatives — validate DSM property extraction with test events before deploying this detection as an active offense rule.
Other platforms for T1550.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz sekurlsa::pth Hash Injection
Expected signal: Sysmon Event ID 10: mimikatz.exe accessing lsass.exe with GrantedAccess 0x1438. Sysmon Event ID 1: cmd.exe spawned with ParentImage=mimikatz.exe, showing abnormal parent-child relationship. Security Event ID 4624 on the local machine with LogonType=9 (NewCredentials) and AuthenticationPackageName=NTLM when the injected cmd.exe makes its first outbound connection. Security Event ID 4624 on any target system accessed from the injected session shows LogonType=3 with NTLM.
- Test 2Invoke-SMBExec Pass the Hash Lateral Movement
Expected signal: Security Event ID 4624 on target (192.168.1.10): LogonType=3, AuthenticationPackageName=NTLM — primary PtH authentication event. Sysmon Event ID 3 on source: outbound TCP connection to 192.168.1.10:445. Security Event ID 7045 on target: new service installed with random 7-character name and ImagePath pointing to cmd.exe. Sysmon Event ID 1 on target: cmd.exe spawned by the transient service process.
- Test 3Impacket psexec.py Pass the Hash from Linux
Expected signal: Security Event ID 4624 on Windows target: LogonType=3, AuthenticationPackageName=NTLM, IpAddress=<Linux attacker IP> — source IP being non-Windows is a high-fidelity indicator. Security Event ID 7045: new service named 'PSEXESVC' or randomly named service installed on target. Sysmon Event ID 1 on target: cmd.exe spawned by the installed Impacket service. Network captures show SMB NTLM authentication with challenge-response originating from a Linux host.
- Test 4CrackMapExec Pass the Hash Subnet Sweep
Expected signal: Multiple Security Event ID 4624 (LogonType=3, AuthenticationPackageName=NTLM) on each host in the subnet that responds — all originating from the same attacker source IP in rapid succession. Security Event ID 4625 (failed logon, LogonType=3, NTLM) on hosts where the hash is invalid. High volume of authentication events from a single source IP in a short window creates a clear spike in the SecurityEvent table.
References (11)
- https://attack.mitre.org/techniques/T1550/002/
- https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
- https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
- https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md
- https://www.mandiant.com/resources/blog/fin13-a-cybercriminal-threat-actor-focused-on-mexico
- https://www.mandiant.com/resources/reports/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a
- https://github.com/SecureAuthCorp/impacket
- https://github.com/Kevin-Robertson/Invoke-TheHash
Unlock Pro Content
Get the full detection package for T1550.002 including response playbook, investigation guide, and atomic red team tests.