Typical attacks / steps for fast hashes > 9 characters (ntlm)

[secpro]

I've been reading a lot about the various types of attacks one can do with hashcat and other tools.
I'm trying to put together a "typical" set of attacks that a skilled attacker would commonly use against a hash list of fast hashes such as ntlm.  In other words, given a list of a few thousand ntlm (or md5) hashes, what would you normally try first?  What attack second?

I understand one would try different things in different scenarios, but assume a a random corporate environment in the US,  You get the SAM table from domain controller.  Which attacks would you try first, second third, most of the time?

I understand that ntlm hashes of 9 characters or fewer are very vulnerable to rainbow tables, with a success rate of about 96%.
I would think, therefore, rainbow tables would be used first, then hashcat for the longer passwords?

A top million list seems like a good first thing to try, but maybe I'm wrong.
In my research I came across "OneRuleToRuleThemAll", which also looks promising.
Not having much actual experience, though, I could be completely off base.

[Snoopy]

first try
google it, there are plenty websites where you can upload/test hashes whether there are already known, crackstation is well known for example

the rest depends what you know about the hash, self given password with no rules or fully random and so on

hahscat with a good dictionary + rules (wordlist depends a little bit on the "target", german, russian, english, spanish whatsoever

existing rainbowtable well yeah no, good for plain ascii, not suitable for any other special chars like £§äöü߀ and so on, try cracking md5 of the german öl (oil) you will never get it with rainbowtables

top million list, well, the problem with these list is garbage (not really but jfyi), do you remember the adobe hack and the aftermath with "most used password is 12345"? well no this is bu****it, back then adobe bugged all users to register just for downloading the adobe reader and guess what happend, most used trashmails and trahspasses like 12345 because noone wanted to really register just for downloading this crap software but anyway

when it comes to rules
rules are MODIFYING passwords not generating them, so you will still need a good wordlist for this

just for fun, when i have access to the domain controller, i would roll out a keylogger per gpo wait a week and get all password plains for free

[secpro]

Thanks, Snoopy.  Crackstation etc hadn't occurred to me.

I notice you did not say the words "masks" or "prince". 
I take it those are not some of the first tools you tend to reach for, in most cases.

[Snoopy]

Thanks, Snoopy.  Crackstation etc hadn't occurred to me.

I notice you did not say the words "masks" or "prince". 
I take it those are not some of the first tools you tend to reach for, in most cases.

i am using masks for attacks, but this is allways kind of bruteforce and therefore in my opinion just for fun in most cases OR you have a very very specific clue about the passwordstyle

about prince
i suggested prince in another thread where an also specific attack vector was suitable (shortphrase 1-3 words plus digits or special chars), so like i said, it all depends on your knowledge about the used password which attack to choose