LoFP / go utilities that use staaldraad awesome ntlm library

Techniques

• t1059
• t1087
• t1114
• t1550
• t1550.002

Sample rules

Hacktool Ruler

• source: sigma
• technicques:
  • t1059
  • t1087
  • t1114
  • t1550
  • t1550.002

Description

This events that are generated when using the hacktool Ruler by Sensepost

Detection logic

condition: (1 of selection*)
selection1:
  EventID: 4776
  Workstation: RULER
selection2:
  EventID:
  - 4624
  - 4625
  WorkstationName: RULER