Detect Pass the Hash in Splunk
Adversaries may 'pass the hash' using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to perform 'overpass the hash,' using the NTLM hash to create a valid Kerberos ticket for further lateral movement. Threat actors including APT28, APT32, APT41, Wizard Spider, FIN13, Chimera, and Kimsuky have all operationalized PtH using tools such as Mimikatz, Cobalt Strike, Invoke-SMBExec, Impacket, and CrackMapExec.
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Sub-technique
- T1550.002 Pass the Hash
- Canonical reference
- https://attack.mitre.org/techniques/T1550/002/
SPL Detection Query
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
(Logon_Type=3 OR Logon_Type=9)
| rex field=_raw "Authentication Package:\s+(?P<AuthPackage>[^\r\n]+)"
| rex field=_raw "Account Name:\s+(?P<TargetAccount>[^\r\n]+)"
| rex field=_raw "Source Network Address:\s+(?P<SourceIP>[^\r\n]+)"
| rex field=_raw "Workstation Name:\s+(?P<SourceWorkstation>[^\r\n]+)"
| rex field=_raw "Package Name \(NTLM only\):\s+(?P<NtlmPackage>[^\r\n]+)"
| where match(AuthPackage, "(?i)NTLM")
| where NOT match(TargetAccount, "(?i)(\\$$|ANONYMOUS LOGON|IUSR|DWM-|UMFD-|LOCAL SERVICE|NETWORK SERVICE)")
| where SourceIP != "-" AND SourceIP != "::1" AND SourceIP != "127.0.0.1" AND SourceIP != ""
| eval DetectionBranch=case(
Logon_Type="3", "NTLM_Network_Logon_Classic_PtH",
Logon_Type="9", "NewCredentials_Mimikatz_PtH",
true(), "Unknown"
)
| eval IsNTLMv1=if(match(NtlmPackage, "(?i)NTLM V1"), 1, 0)
| eval RiskScore=case(
Logon_Type="9", 80,
Logon_Type="3" AND IsNTLMv1=1, 70,
Logon_Type="3", 60,
true(), 40
)
| append [
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
TargetImage="*\\lsass.exe"
| rex field=_raw "<GrantedAccess>(?P<GrantedAccess>[^<]+)<"
| rex field=_raw "<SourceImage>(?P<SourceImage>[^<]+)<"
| rex field=_raw "<User>(?P<LsassUser>[^<]+)<"
| where match(GrantedAccess, "(0x1010|0x1438|0x143a|0x40|0x1fffff)")
| where NOT match(SourceImage, "(?i)(MsMpEng\\.exe|Taskmgr\\.exe|procexp\\.exe|WmiPrvSE\\.exe|svchost\\.exe|csrss\\.exe|wininit\\.exe|SecurityHealthService\\.exe|perfmon\\.exe)")
| eval TargetAccount=LsassUser, SourceIP="N/A", SourceWorkstation=SourceImage
| eval AuthPackage="LSASS_ACCESS", NtlmPackage=GrantedAccess
| eval DetectionBranch="LSASS_Credential_Access_PrePtH"
| eval IsNTLMv1=0, RiskScore=85
]
| table _time, host, TargetAccount, SourceIP, SourceWorkstation, Logon_Type, AuthPackage, NtlmPackage, DetectionBranch, IsNTLMv1, RiskScore
| sort - _timeDetects Pass the Hash attacks in Splunk using two correlated branches: (1) Windows Security Event 4624 with NTLM authentication and LogonType 3 (Network logon to remote target) or LogonType 9 (NewCredentials — Mimikatz sekurlsa::pth signature on attacker host), filtering machine accounts and loopback addresses; (2) Sysmon Event ID 10 (Process Access) targeting lsass.exe with suspicious access masks (0x1010, 0x1438, 0x143a) indicating the credential harvesting step preceding PtH. A RiskScore field (40–85) prioritizes alerts by technique specificity: LogonType 9 (Mimikatz signature) scores 80, NTLMv1 downgrade scores 70, LSASS access scores 85. The NtlmPackage field identifies NTLMv1 vs NTLMv2 for additional triage context.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate IT monitoring and management agents (Datadog, SolarWinds, PRTG) authenticating via NTLM when Kerberos SPN is not properly configured for the monitoring service account
- Backup solutions (Veeam, Commvault, Veritas) using service accounts that fall back to NTLM when accessing remote file shares across domain boundaries or when Kerberos delegation is unavailable
- Vulnerability scanners (Nessus, Qualys, Rapid7) performing credentialed NTLM authentication sweeps across network segments during authorized scan windows
- Security and EDR agents that legitimately access LSASS process memory for monitoring, AV scanning, or credential guard enforcement purposes — these should be whitelisted by process name
- Legacy applications and services with no Kerberos support that always use NTLM for network authentication, particularly common in mixed-OS or OT/ICS environments
Other platforms for T1550.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz sekurlsa::pth Hash Injection
Expected signal: Sysmon Event ID 10: mimikatz.exe accessing lsass.exe with GrantedAccess 0x1438. Sysmon Event ID 1: cmd.exe spawned with ParentImage=mimikatz.exe, showing abnormal parent-child relationship. Security Event ID 4624 on the local machine with LogonType=9 (NewCredentials) and AuthenticationPackageName=NTLM when the injected cmd.exe makes its first outbound connection. Security Event ID 4624 on any target system accessed from the injected session shows LogonType=3 with NTLM.
- Test 2Invoke-SMBExec Pass the Hash Lateral Movement
Expected signal: Security Event ID 4624 on target (192.168.1.10): LogonType=3, AuthenticationPackageName=NTLM — primary PtH authentication event. Sysmon Event ID 3 on source: outbound TCP connection to 192.168.1.10:445. Security Event ID 7045 on target: new service installed with random 7-character name and ImagePath pointing to cmd.exe. Sysmon Event ID 1 on target: cmd.exe spawned by the transient service process.
- Test 3Impacket psexec.py Pass the Hash from Linux
Expected signal: Security Event ID 4624 on Windows target: LogonType=3, AuthenticationPackageName=NTLM, IpAddress=<Linux attacker IP> — source IP being non-Windows is a high-fidelity indicator. Security Event ID 7045: new service named 'PSEXESVC' or randomly named service installed on target. Sysmon Event ID 1 on target: cmd.exe spawned by the installed Impacket service. Network captures show SMB NTLM authentication with challenge-response originating from a Linux host.
- Test 4CrackMapExec Pass the Hash Subnet Sweep
Expected signal: Multiple Security Event ID 4624 (LogonType=3, AuthenticationPackageName=NTLM) on each host in the subnet that responds — all originating from the same attacker source IP in rapid succession. Security Event ID 4625 (failed logon, LogonType=3, NTLM) on hosts where the hash is invalid. High volume of authentication events from a single source IP in a short window creates a clear spike in the SecurityEvent table.
References (11)
- https://attack.mitre.org/techniques/T1550/002/
- https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
- https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
- https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md
- https://www.mandiant.com/resources/blog/fin13-a-cybercriminal-threat-actor-focused-on-mexico
- https://www.mandiant.com/resources/reports/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a
- https://github.com/SecureAuthCorp/impacket
- https://github.com/Kevin-Robertson/Invoke-TheHash
Unlock Pro Content
Get the full detection package for T1550.002 including response playbook, investigation guide, and atomic red team tests.