NetNTLM Downgrade Attack - Registry

 1title: NetNTLM Downgrade Attack - Registry
 2id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
 3status: test
 4description: Detects NetNTLM downgrade attack
 5references:
 6    - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 7author: Florian Roth (Nextron Systems), wagga
 8date: 2018-03-20
 9modified: 2022-11-29
10tags:
11    - attack.defense-evasion
12    - attack.t1562.001
13    - attack.t1112
14logsource:
15    product: windows
16    category: registry_event
17detection:
18    selection:
19        TargetObject|contains|all:
20            - 'SYSTEM\'
21            - 'ControlSet'
22            - '\Control\Lsa'
23        TargetObject|endswith:
24            - '\lmcompatibilitylevel'
25            - '\NtlmMinClientSec'
26            - '\RestrictSendingNTLMTraffic'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

• Post Exploitation Using NetNTLM Downgrade Attacks

  

  I love to pass the hash and steal tokens as much as the next pentester, but sometimes it’s nice to have the actual password for a user. Here are some cases where having the password, instead of just the hash, is helpful:

  
  Read More

Related rules

• Disable Security Events Logging Adding Reg Key MiniNt
• NetNTLM Downgrade Attack
• Reg Add Suspicious Paths
• AMSI Bypass Pattern Assembly GetType
• AWS CloudTrail Important Change