runas command-line tool using /netonly parameter

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml>sigma
technicques: t1550 t1550.002

Techniques

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz’s sekurlsa::pth module.

condition: selection
selection:
  AuthenticationPackageName: Negotiate
  EventID: 4624
  LogonProcessName: seclogo
  LogonType: 9