Managed Sentinel – Alert 148

Alert IDMS-A148
Alert NameSuccessful overpass the hash attempt
DescriptionDetects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa:pth module.
Severity LevelHigh
Threat IndicatorRoot Access
MITRE ATT&CK TacticsLateral movement
Log sourcesWindows Security Event Logs
False Positive1. Runas command-line tool using /netonly parameter
Recommendations1. Disable user account.
2. Use Azure Sentinel to query and report all access from affected user account to other internal resources (lateral movement).