This is awesome, thank you for sharing this. I really liked how you showed the event logs and what to look for. I was able to take this back to work to start creating a detection.

Thank you very much for your content, I am really enjoying the way you convey the information and the fact that you make the extra step of showing how to detect these common techniques and toolsets is very eye-opening. A question(or clarification) about detecting Pass-The-Cert attack. The fields of the event we need to effectively detect this attack are the event code, the certificate issuer name and the account name of a user? Additionally, I think we can catch this attack from the Ticket options field revealing the tool used. Thank you again for your effort creating such content of high quality

Found your channel on linkedin, and loving your content!

So do I run the send function inside of the organization? Or can it be done externally plus a listener inside the organization? Also, the method you showed can only be run on an already compromised windows host, correct?

Have you tried the send function as well? I only get the hashes of the sender and not the receiver when I use this. The reminder does pop up on the receivers end but no hashes are sent :( The ntlm listener is reachable bcs when I go to its unc path on the victim machine I do get the hashes

please make a video How to Create Custom Phishlets in Evilginx2?