DET0409 Detection Strategy for T1550.002 - Pass the Hash (Windows)

Item	Value
ID	DET0409
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1550.002 (Pass the Hash)

Analytics

Windows

AN1144

Detects anomalous NTLM LogonType 3 authentications that occur without accompanying domain logon events, especially from lateral systems or involving built-in administrative tools. Monitors for mismatches between source user context and system being accessed. Correlates LogonSession creation, NTLM authentications, and process/service initiation to identify suspicious use of stolen password hashes for remote access or service logon without password entry. Detects overpass-the-hash by combining Kerberos ticket issuance with NTLM-based lateral movement.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Active Directory Credential Request (DC0084)	WinEventLog:Security	EventCode=4768
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
TimeWindow	Allows tuning the correlation timeframe between authentication, session creation, and process/network activity.
SourceAccountAnomalyThreshold	Supports tuning detection sensitivity based on deviations from normal user login patterns or usage context.
LogonTypeFilter	Allows focusing detection on specific logon types (e.g., LogonType 3 for network logon, Type 10 for RDP).