Detect Pass the Hash in Sumo Logic CSE
Adversaries may 'pass the hash' using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to perform 'overpass the hash,' using the NTLM hash to create a valid Kerberos ticket for further lateral movement. Threat actors including APT28, APT32, APT41, Wizard Spider, FIN13, Chimera, and Kimsuky have all operationalized PtH using tools such as Mimikatz, Cobalt Strike, Invoke-SMBExec, Impacket, and CrackMapExec.
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Sub-technique
- T1550.002 Pass the Hash
- Canonical reference
- https://attack.mitre.org/techniques/T1550/002/
Sumo Detection Query
(_sourceCategory="windows/security" OR _sourceCategory="windows/sysmon" OR _sourceCategory="OS/Windows/Security" OR _sourceCategory="OS/Windows/Sysmon")
| where EventCode in ("4624", "10")
| parse regex "(?s)Logon Type:\s+(?<LogonType>\d+)" nodrop
| parse regex "(?s)Authentication Package Name:\s+(?<AuthPackage>[^\r\n]+)" nodrop
| parse regex "(?s)Account Name:\s+(?<TargetAccount>[^\r\n]+)" nodrop
| parse regex "(?s)Source Network Address:\s+(?<SourceIP>[^\r\n]+)" nodrop
| parse regex "(?s)Package Name \\(NTLM only\\):\s+(?<NtlmPackage>[^\r\n]+)" nodrop
| parse regex "<TargetImage>(?<TargetImage>[^<]+)<" nodrop
| parse regex "<GrantedAccess>(?<GrantedAccess>[^<]+)<" nodrop
| parse regex "<SourceImage>(?<SourceImage>[^<]+)<" nodrop
| where (
(
EventCode = "4624"
AND (LogonType = "3" OR LogonType = "9")
AND AuthPackage matches /(?i).*NTLM.*/
AND !(TargetAccount matches /(?i)(.*\$|ANONYMOUS LOGON|IUSR|DWM-|UMFD-|LOCAL SERVICE|NETWORK SERVICE)/)
AND SourceIP != "-"
AND SourceIP != "127.0.0.1"
AND SourceIP != "::1"
AND SourceIP != ""
AND SourceIP != null
) OR (
EventCode = "10"
AND TargetImage matches /(?i).*\\lsass\.exe$/
AND GrantedAccess in ("0x1010", "0x1438", "0x143a", "0x40", "0x1fffff")
AND !(SourceImage matches /(?i).*(MsMpEng|Taskmgr|procexp|procexp64|WmiPrvSE|svchost|csrss|wininit|SecurityHealthService|perfmon|lsm)\.exe/)
)
)
| eval DetectionBranch = if(EventCode = "10", "LSASS_Credential_Access_PrePtH",
if(LogonType = "9", "NewCredentials_Mimikatz_PtH", "NTLM_Network_Logon_PtH"))
| eval RiskScore = if(EventCode = "10", 85, if(LogonType = "9", 80, 65))
| fields _messageTime, _sourceHost, TargetAccount, SourceIP, LogonType, AuthPackage, NtlmPackage, GrantedAccess, TargetImage, SourceImage, DetectionBranch, RiskScore
| sort by _messageTime descSumo Logic search spanning Windows Security and Sysmon source categories, parsing both Windows event log text format (for Security Event 4624 LogonType, AuthPackage, SourceIP) and Sysmon XML format (for Event 10 TargetImage, GrantedAccess, SourceImage). Covers three detection branches: NTLM network logon (Type 3), Mimikatz-style NewCredentials logon (Type 9), and suspicious LSASS process access. All regex parses use 'nodrop' to avoid dropping events where fields are absent across the two log formats, with branch-specific filtering applied after field extraction. Tune _sourceCategory values to match your Sumo Logic collector configuration.
Data Sources
Required Tables
False Positives & Tuning
- Windows Remote Management (WinRM) and PowerShell remoting sessions using NTLM authentication across trusted subnets generate Type 3 logons — create an allowlist of approved management jump-host IPs and suppress those source addresses to reduce noise from legitimate admin activity.
- Backup agents (e.g., Veeam, Commvault) and antivirus scan engines that enumerate LSASS memory for shadow copy coordination or legitimate memory scanning will trigger the LSASS access branch — document and hash-allowlist these by binary path and version as part of your tuning baseline.
- The 'Account Name' regex parser may extract the machine account name or the subject account name depending on Windows event field ordering when multiple 'Account Name:' labels appear in the same event — validate parsed field accuracy against raw events and adjust the parse anchor regex to target specifically 'Target Account Name:' for Event 4624 if false matches occur.
Other platforms for T1550.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz sekurlsa::pth Hash Injection
Expected signal: Sysmon Event ID 10: mimikatz.exe accessing lsass.exe with GrantedAccess 0x1438. Sysmon Event ID 1: cmd.exe spawned with ParentImage=mimikatz.exe, showing abnormal parent-child relationship. Security Event ID 4624 on the local machine with LogonType=9 (NewCredentials) and AuthenticationPackageName=NTLM when the injected cmd.exe makes its first outbound connection. Security Event ID 4624 on any target system accessed from the injected session shows LogonType=3 with NTLM.
- Test 2Invoke-SMBExec Pass the Hash Lateral Movement
Expected signal: Security Event ID 4624 on target (192.168.1.10): LogonType=3, AuthenticationPackageName=NTLM — primary PtH authentication event. Sysmon Event ID 3 on source: outbound TCP connection to 192.168.1.10:445. Security Event ID 7045 on target: new service installed with random 7-character name and ImagePath pointing to cmd.exe. Sysmon Event ID 1 on target: cmd.exe spawned by the transient service process.
- Test 3Impacket psexec.py Pass the Hash from Linux
Expected signal: Security Event ID 4624 on Windows target: LogonType=3, AuthenticationPackageName=NTLM, IpAddress=<Linux attacker IP> — source IP being non-Windows is a high-fidelity indicator. Security Event ID 7045: new service named 'PSEXESVC' or randomly named service installed on target. Sysmon Event ID 1 on target: cmd.exe spawned by the installed Impacket service. Network captures show SMB NTLM authentication with challenge-response originating from a Linux host.
- Test 4CrackMapExec Pass the Hash Subnet Sweep
Expected signal: Multiple Security Event ID 4624 (LogonType=3, AuthenticationPackageName=NTLM) on each host in the subnet that responds — all originating from the same attacker source IP in rapid succession. Security Event ID 4625 (failed logon, LogonType=3, NTLM) on hosts where the hash is invalid. High volume of authentication events from a single source IP in a short window creates a clear spike in the SecurityEvent table.
References (11)
- https://attack.mitre.org/techniques/T1550/002/
- https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
- https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
- https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md
- https://www.mandiant.com/resources/blog/fin13-a-cybercriminal-threat-actor-focused-on-mexico
- https://www.mandiant.com/resources/reports/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a
- https://github.com/SecureAuthCorp/impacket
- https://github.com/Kevin-Robertson/Invoke-TheHash
Unlock Pro Content
Get the full detection package for T1550.002 including response playbook, investigation guide, and atomic red team tests.