NTLM Logon
Detects logons using NTLM, which could be caused by a legacy source or attackers
Sigma rule (View on GitHub)
1title: NTLM Logon
2id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
3status: test
4description: Detects logons using NTLM, which could be caused by a legacy source or attackers
5references:
6 - https://twitter.com/JohnLaTwC/status/1004895028995477505
7 - https://goo.gl/PsqrhT
8author: Florian Roth (Nextron Systems)
9date: 2018/06/08
10modified: 2022/10/05
11tags:
12 - attack.lateral_movement
13 - attack.t1550.002
14logsource:
15 product: windows
16 service: ntlm
17 definition: Requires events from Microsoft-Windows-NTLM/Operational
18detection:
19 selection:
20 EventID: 8002
21 ProcessName|contains: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
22 condition: selection
23falsepositives:
24 - Legacy hosts
25level: low
References
Related rules
- Successful Overpass the Hash Attempt
- Pass the Hash Activity 2
- Audit CVE Event
- Metasploit Or Impacket Service Installation Via SMB PsExec
- OpenSSH Server Listening On Socket