Detects potential pass the hash threats
SCHEMA
| eventid | int | The Windows event ID |
| key_length | int | The length of NTLM Session Security key |
| logon_process | string | The name of the trusted logon process that was used for the logon attempt |
| logon_type | int | The type of logon which was performed. |
| name | string | Name of the registry value entry |
| provider_name | string | The Windows event provider |
| remote_address | string | IP address of machine from which logon attempt was performed |
| remote_port | int | Source port which was used for logon attempt from remote machine |
| source | string | The Windows event source |
| subject_domain | string | The domain or computer name for the account that reported the logon |
| subject_username | string | The account that reported the logon |
| target_domain | string | The domain or computer name for the account specified |
| target_sid | string | SID of account for which logon was performed |
| target_username | string | The name of the account that was specified in the logon attempt |
-- threat_pass_the_hash INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, eventid, key_length, logon_process, logon_type, name, provider_name, remote_address, remote_port, source, subject_domain, subject_username, target_domain, target_sid, target_username, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'threat_pass_the_hash'
we will need to perform a pass the hash attack to confirm this is working as intended, Anyone up to the challenge?
