NTLM Logon

calendar Oct 23, 2025 · attack.defense-evasion attack.lateral-movement attack.t1550.002  ·
Share on: linkedin copy

Detects logons using NTLM, which could be caused by a legacy source or attackers

Sigma rule (View on GitHub)

 1title: NTLM Logon
 2id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
 3status: test
 4description: Detects logons using NTLM, which could be caused by a legacy source or attackers
 5references:
 6    - https://twitter.com/JohnLaTwC/status/1004895028995477505
 7author: Florian Roth (Nextron Systems)
 8date: 2018-06-08
 9modified: 2024-07-22
10tags:
11    - attack.defense-evasion
12    - attack.lateral-movement
13    - attack.t1550.002
14logsource:
15    product: windows
16    service: ntlm
17    definition: Requires events from Microsoft-Windows-NTLM/Operational
18detection:
19    selection:
20        EventID: 8002
21    condition: selection
22falsepositives:
23    - Legacy hosts
24level: low

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top