KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 19 AD Pass The Hash NTLM Type3

Query

// =========================================================
// RULE-19 | AD-PassTheHash-NTLM-Type3
// Description : Pass-the-Hash detection — Event 4624
//               (Successful Logon) with LogonType=3 (Network)
//               using NTLM authentication, from a source IP
//               that has NOT performed an interactive (Type 2)
//               or local (Type 10) logon on the target host
//               in the last 30 days.
//               PtH attacks reuse an NT hash directly for
//               NTLM authentication — the source machine
//               "never logged in locally" to the target but
//               can authenticate over the network with the
//               stolen hash.
//               Escalates to Critical when the source is a
//               Tier-0 or privileged host, or when it
//               subsequently accesses a DC.
// Severity    : High → Critical (DC target or DA source)
// Frequency   : Every 30 minutes, look-back 30 minutes
// MITRE       : T1550.002 — Pass the Hash
// Tables      : SecurityEvent
// =========================================================

let LookBack          = 30m;
let BaselinePeriod    = 30d;

// Baseline: accounts + IPs that have had interactive logons to each computer
let InteractiveBaseline = SecurityEvent
    | where TimeGenerated > ago(BaselinePeriod)
    | where EventID == 4624
    | where LogonType in (2, 10, 11)        // Interactive, Remote Interactive, Cached
    | summarize by BaselineKey = strcat(tolower(TargetUserName), "|",
                                        IpAddress, "|",
                                        toupper(Computer));

// Known DCs
let KnownDCNames = SecurityEvent
    | where TimeGenerated > ago(3d)
    | where EventID == 4768
    | summarize by DC = toupper(Computer);

// Network NTLM logons in detection window
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4624
| where LogonType == 3
| where AuthenticationPackageName =~ "NTLM"
    or LogonProcessName =~ "NtLmSsp"
| where not(TargetUserName endswith "$")              // Exclude machine accounts
| where not(TargetUserName =~ "ANONYMOUS LOGON")
| where isnotempty(IpAddress) and IpAddress != "-"
    and IpAddress != "127.0.0.1" and IpAddress != "::1"
| extend
    LookupKey       = strcat(tolower(TargetUserName), "|",
                             IpAddress, "|",
                             toupper(Computer)),
    TargetIsDC      = (toupper(Computer) in~ (KnownDCNames))
// Keep only logons where (user + IP + computer) combination was NEVER seen interactively
| join kind=leftanti (InteractiveBaseline) on $left.LookupKey == $right.BaselineKey
| extend
    Severity = case(
        TargetIsDC,          "Critical",
        "High"
    ),
    WhySuspicious = strcat(
        "PassTheHash_NTLM_Type3_No_Interactive_Baseline; ",
        iff(TargetIsDC, "Target_Is_DC_Critical; ", ""),
        "Src: ", IpAddress, " → ", Computer, "; ",
        "Account: ", TargetDomainName, "\\", TargetUserName
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    TargetUserName,
    TargetDomainName,
    IpAddress,
    Computer,
    TargetIsDC,
    LogonType,
    AuthenticationPackageName
| order by Severity asc, TimeGenerated desc

Explanation

This query is designed to detect potential Pass-the-Hash (PtH) attacks using NTLM authentication in a network environment. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify suspicious network logons (Event ID 4624 with LogonType 3) using NTLM authentication from a source IP that hasn't logged in interactively or locally on the target host in the past 30 days. This behavior is indicative of a Pass-the-Hash attack, where an attacker uses a stolen hash to authenticate over the network without having logged in directly to the target machine.

  2. Severity Levels:

    • The severity is marked as "Critical" if the target is a Domain Controller (DC).
    • Otherwise, the severity is "High".

  3. Baseline Creation:

    • It establishes a baseline of accounts and IPs that have had interactive logons (LogonTypes 2, 10, or 11) to each computer over the past 30 days.

  4. Known Domain Controllers:

    • It identifies known Domain Controllers by checking for Event ID 4768 in the last 3 days.

  5. Detection Logic:

    • It looks for network logons (LogonType 3) using NTLM within the last 30 minutes.
    • It excludes machine accounts and anonymous logons.
    • It checks if the combination of user, IP, and computer has never been seen interactively before by comparing against the baseline.
    • If the logon is from a source that hasn't logged in interactively, it flags it as suspicious.

  6. Output:

    • The query outputs details such as the time of the event, severity, reason for suspicion, user account, domain, source IP, target computer, and whether the target is a DC.
    • Results are ordered by severity and time.

In summary, this query is a security measure to detect unauthorized network access attempts that could indicate a Pass-the-Hash attack, especially focusing on critical infrastructure like Domain Controllers.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventDevicesNetworkAuthenticationLogonTypeComputerIpAddressUserAccount

Operators

letagoinstrcattolowertouppersummarizebywhereendswithisnotemptyextendjoinkindleftantioncaseiffprojectorder bydescasc

Actions