ATH Example: Pass the Hash

We will create a threat hunting playbook that looks for a pass-the-hash attack.

Configure the Alert

We want an alert that runs a query every 5 minutes on the Alerts index.

To configure the alert:

  1. Click Respond | Automation.
  2. Click the Create button to add a playbook.
  3. Enter a name for the playbook. We entered Pass the Hash Attack.
  4. Set the Schedule type to interval.
  5. Set it to run every five minutes over all selected tenants.
  6. Choose the tenants and tenant groups on which to run. We chose All Tenants.
  7. Set the index to Alerts.
  8. Leave the Rule Type as Query.

Build a Query

We want a query that looks for logins using cached credentials (the hash). We don't care if the logins were successful or not.

To build the query:

  1. Click New Query. The screen changes to Build a Query.
  2. Enter a Query Name. We entered Pass the Hash.
  3. Click Add Condition.
  4. Enter msg_origin.source in the Field.
  5. Leave the Operator as is.
  6. Enter the windows_agent for the Value.
  7. Click Add Condition.
  8. Enter event_data.AuthenticationPackageName in the Field.
  9. Leave the Operator as is.
  10. Enter NTLM for the Value. NTLM is the NT LAN Manager.
  11. Click Add Condition.
  12. Enter event_data.LogonType in the Field.
  13. Leave the Operator as is.
  14. Enter 9 for the Value. This logon type indicates a logon using cached credentials.
  15. Click Add Condition.
  16. Enter event_data.KeyLength in the Field.
  17. Leave the Operator as is.
  18. Enter 0 for the Value. This indicates that no session key was requested.
  19. Click Add Inner Group.
  20. Change the Condition Type to Or.
  21. Enter event_id in the Field.
  22. Leave the Operator as is.
  23. Enter 4624 for the Value. This indicates a successful login.
  24. Within that inner group, click Add Condition.
  25. Enter event_id in the Field.
  26. Leave the Operator as is.
  27. Enter 4625 for the Value. This indicates a failed login.
  28. Click Save to save the query. The screen changes to display the saved query in Domain Specific Language (DSL).

Configure a Condition

We want a condition that triggers our actions if there are any hits.

To configure this condition:

  1. Enter a Condition Name. We entered Any Hits.
  2. Select Compare Value for the Type.
  3. Set the Comparison to Total Hits, is greater than or equal to, and 1.

Configure Actions

You can configure any number of actions to take place if your playbook gets the specified number of hits.

For our example we want an email:

  1. Choose the trigger condition you entered. Ours is Any Hits.
  2. Choose Email for the Type.
  3. Choose Recipients. To add a new recipient, see Adding a Recipient.
  4. Enter a Subject. We entered Pass the Hash?.
  5. Set your Priority.
  6. Click in the check-box for Include Interflow if you want the Interflow included with the email.
  7. Enter your Email Body. We included a short sentence explaining why the recipient is getting the email.

See Configure Actions for details on configuring each type of action.

Save & Run the Playbook

Click Submit to save and immediately run the playbook. Your new playbook is displayed in the playbook list.