NTLMv1 Logon Between Client and Server
Detects the reporting of NTLMv1 being used between a client and server
Sigma rule (View on GitHub)
1title: NTLMv1 Logon Between Client and Server
2id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
3status: experimental
4description: Detects the reporting of NTLMv1 being used between a client and server
5references:
6 - https://attack.mitre.org/techniques/T1550/002/
7author: Tim Shelton
8date: 2022/04/26
9modified: 2022/05/02
10tags:
11 - attack.execution
12 - attack.t1550.002
13 - attack.s0363
14logsource:
15 product: windows
16 service: system
17detection:
18 selection:
19 Provider_Name: "LsaSrv"
20 EventID: 6038
21 condition: selection
22fields:
23 - EventID
24 - Provider_Name
25falsepositives:
26 - Environments that use NTLMv1
27level: low