This detection rule, titled 'Pass the Hash Activity 2', is designed to identify lateral movement across a network using the Pass-the-Hash (PtH) technique. The PtH technique allows an attacker to use a hashed password to authenticate themselves rather than a clear-text password, thereby enabling unauthorized access to multiple systems without the need to know the actual password. This rule specifically tracks Windows security events that may indicate the abuse of the PtH technique. It primarily looks for Windows Event ID 4624, which denotes a successful logon, under specific conditions that suggest potential misuse. For example, logon attempts with LogonType 3 (network logon) and LogonType 9 (batch logon) where the LogonProcessName indicates the use of 'NtLmSsp' or 'seclogo' are of interest. The rule can also filter out cases involving 'ANONYMOUS LOGON' to reduce false positives, which can often arise from legitimate administrator activities. By employing these criteria, the rule marks unauthorized or suspicious logon attempts as a sign of PtH activity, thus alerting security teams to potential security incidents.