NetNTLM Downgrade Attack
Detects NetNTLM downgrade attack
Sigma rule (View on GitHub)
1title: NetNTLM Downgrade Attack
2id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
3related:
4 - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
5 type: derived
6status: test
7description: Detects NetNTLM downgrade attack
8references:
9 - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
10author: Florian Roth (Nextron Systems), wagga
11date: 2018-03-20
12modified: 2022-10-09
13tags:
14 - attack.defense-evasion
15 - attack.t1562.001
16 - attack.t1112
17# Windows Security Eventlog: Process Creation with Full Command Line
18logsource:
19 product: windows
20 service: security
21 definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
22detection:
23 selection:
24 EventID: 4657
25 ObjectName|contains|all:
26 - '\REGISTRY\MACHINE\SYSTEM'
27 - 'ControlSet'
28 - '\Control\Lsa'
29 ObjectValueName:
30 - 'LmCompatibilityLevel'
31 - 'NtlmMinClientSec'
32 - 'RestrictSendingNTLMTraffic'
33 condition: selection
34falsepositives:
35 - Unknown
36level: high
References
Related rules
- Disable Security Events Logging Adding Reg Key MiniNt
- Reg Add Suspicious Paths
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder