NTLMv1 Logon Between Client and Server
Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
Sigma rule (View on GitHub)
1title: NTLMv1 Logon Between Client and Server
2id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
3status: experimental
4description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
5references:
6 - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
7author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
8date: 2022/04/26
9modified: 2023/06/06
10tags:
11 - attack.defense_evasion
12 - attack.lateral_movement
13 - attack.t1550.002
14logsource:
15 product: windows
16 service: system
17detection:
18 selection:
19 Provider_Name: "LsaSrv"
20 EventID:
21 - 6038
22 - 6039
23 condition: selection
24falsepositives:
25 - Environments that use NTLMv1
26level: medium
References
Related rules
- New Port Forwarding Rule Added Via Netsh.EXE
- Password Provided In Command Line Of Net.EXE
- WannaCry Ransomware Activity
- Audit CVE Event
- NTLM Logon