Techniques
Sample rules
NTLM Logon
- source: sigma
- technicques:
- t1550
- t1550.002
Description
Detects logons using NTLM, which could be caused by a legacy source or attackers
Detection logic
condition: selection
selection:
EventID: 8002
ProcessName|contains: '*'