/
CAR-2016-04-004.yaml
37 lines (37 loc) · 1.36 KB
/
CAR-2016-04-004.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
---
title: Successful Local Account Login
submission_date: 2016/04/18
information_domain: Host
platforms:
- Windows
subtypes:
- Login
analytic_types:
- Situational Awareness
contributors:
- MITRE/NSA
id: CAR-2016-04-004
description: 'The successful use of [Pass The Hash](https://attack.mitre.org/techniques/T1550/002/) for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.'
coverage:
- technique: T1550
tactics:
- TA0008
subtechniques:
- T1550.002
coverage: Moderate
implementations:
- description: 'This analytic will look for remote logins, using a non domain login, from one host to another, using NTL authentication where the account is not "ANONYMOUS LOGON".'
code: |
EventCode == 4624 and [target_user_name] != "ANONYMOUS LOGON" and
[authentication_package_name] == "NTLM"
type: pseudocode
unit_tests:
- configurations:
- Windows 7
description: As an adminstrator, create a new user. Then, logon to the host with that new user. This is generate the event.
commands:
- net user 'test' 'test' /add
d3fend_mappings:
- iri: d3f:LocalAccountMonitoring
id: D3-LAM
label: Local Account Monitoring