Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon, Win Event Logs, and ELK - Part III (Overpass-the-Hash - EIDs 10, 4624, 4648, 4768)
Tags
attack-pattern: Data Direct Credentials - T1589.001 Downgrade Attack - T1562.010 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Connection Proxy - T1090 Powershell - T1086
Show in Graph
Common Information
Type Value
UUID c622227d-462d-4bf9-8869-3dd576e2a8da
Fingerprint 9e1dd05b29a20197
Analysis status DONE
Considered CTI value 0
Text language
Published April 1, 2017, 12:46 a.m.
Added to db Jan. 18, 2023, 9:28 p.m.
Last updated Nov. 18, 2024, 1:38 a.m.
Headline Cyber Wardog Lab
Title Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon, Win Event Logs, and ELK - Part III (Overpass-the-Hash - EIDs 10, 4624, 4648, 4768)
Detected Hints/Tags/Attributes 50/1/8
Source URLs
Redirection Url
Details Source https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html
URL Provider
Details Provider Source level domain
Details blogspot.com cyberwardog.blogspot.com
Attributes
Details Type #Events CTI Value
Details Domain 1 
hfdc01.hf.com
Details File 478 
lsass.exe
Details File 2127 
cmd.exe
Details File 25 
sysmon.exe
Details File 77 
mimikatz.exe
Details File 62 
taskhost.exe
Details File 172 
dllhost.exe
Details File 1260 
explorer.exe