This rule is designed to identify potential instances of Pass-the-Hash (PtH) attacks by analyzing Windows Security Event logs, particularly focusing on Event Code 4624 to capture specific authentication attempts associated with this attack method. The search specifically filters for Logon Types 3 and 9, and excludes anonymous logons. While this detection method can be useful in identifying unauthorized access attempts, it is marked as deprecated due to the high volume of legitimate logon traffic that can also trigger these events, especially in environments with a significant amount of user activity. Consequently, a significant number of false positives may arise from legitimate NTLM logon events, necessitating thorough investigation of any flagged occurrences. Lastly, it's recommended to utilize this detection in conjunction with other security measures for more reliable threat detection.