Managed Sentinel – Alert 148
| Alert ID | MS-A148 |
| Alert Name | Successful overpass the hash attempt |
| Description | Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa:pth module. |
| Severity Level | High |
| Threat Indicator | Root Access |
| MITRE ATT&CK Tactics | Lateral movement |
| Log sources | Windows Security Event Logs |
| False Positive | 1. Runas command-line tool using /netonly parameter |
| Recommendations | 1. Disable user account. 2. Use Azure Sentinel to query and report all access from affected user account to other internal resources (lateral movement). |