Mimikatz

https://redcanary.com/threat-detection-report/threats/mimikatz/

https://neil-fox.github.io/Mimikatz-usage-&-detection/

https://medium.com/@levurge/detecting-mimikatz-with-sysmon-f6a96669747e

https://www.alteredsecurity.com/post/a-primer-on-dcsync-attack-and-detection

Potentially suspicious commands

https://gist.github.com/gfoss/2b39d680badd2cad9d82

Mandiant's guide to Powershell logging

https://www.mandiant.com/resources/greater-visibilityt

https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing

https://www.elastic.co/blog/how-attackers-abuse-access-token-manipulation

https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity

https://adsecurity.org/?p=3458

https://www.redsiege.com/blog/2020/10/detecting-kerberoasting/

https://threathuntingreadings.com/passthehashwhatisandhowcanwedetectit/

https://adsecurity.org/?p=1515

NTLM relay

https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9

Detecting Kerberos Relaying atttacks

https://posts.bluraven.io/detecting-kerberos-relaying-e6be66fa647c

https://marcusedmondson.com/2021/02/28/windows-persistence-mechanics-dll-search-order-hijacking/

Japan CERT guide

https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf

CERT-EU guide

https://media.cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf

Compass Security's guide to GPO settings

https://www.compass-security.com/fileadmin/Datein/Research/White_Papers/lateral_movement_detection_basic_gpo_settings_v1.0.pdf

Forward Defense's Analyst guide

https://www.forwarddefense.com/media/attachments/2021/05/15/lateral-movement-analyst-reference.pdf

The Lowdown on Lateral Movement from Lares

https://www.lares.com/blog/the-lowdown-on-lateral-movement/