AnsweredAssumed Answered

PtH Rule

Question asked by Roger Feagin on Dec 18, 2018
Latest reply on Dec 18, 2018 by Naushad Kasu

How would I convert this rule to Netwitness?

 

logsource:
product: windows
service: security
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
detection:
selection:
- EventID: 4624
LogonType: '3'
LogonProcessName: 'NtLmSsp'
WorkstationName: '%Workstations%'
ComputerName: '%Workstations%'
- EventID: 4625
LogonType: '3'
LogonProcessName: 'NtLmSsp'
WorkstationName: '%Workstations%'
ComputerName: '%Workstations%'
filter:
AccountName: 'ANONYMOUS LOGON'
condition: selection and not filter
falsepositives:
- Administrator activity
- Penetration tests
level: medium

Outcomes