Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
Detects logons using NTLM, which could be caused by a legacy source or attackers
Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
Detects the attack technique pass the hash which is used to move laterally inside the network
This events that are generated when using the hacktool Ruler by Sensepost