Has anyone used Splunk Enterprise to effectively detect Pass The Ticket related attacks? If so I would be curious as to how you did it. Thanks!
https://www.splunk.com/en_us/blog/security/att-ck-ing-the-adversary-episode-3-operationalizing-att-c... https://splunkbase.splunk.com/app/3435/ https://www.jpcert.or.jp/english/pub/sr/ir_research.html https://docs.splunk.com/Documentation/ESSOC/1.0.53/stories/UseCase