Detection rules › Sigma
NTLM Logon
Detects logons using NTLM, which could be caused by a legacy source or attackers
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1550.002 Use Alternate Authentication Material: Pass the Hash |
| Lateral Movement | T1550.002 Use Alternate Authentication Material: Pass the Hash |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| NTLM | 8002 | NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. |