Detectionlowtest

NTLM Logon

Detects logons using NTLM, which could be caused by a legacy source or attackers

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Fri Jun 08Updated Mon Jul 2298c3bcf1-56f2-49dc-9d8d-c66cf190238bwindows

Log Source

Windowsntlm

ProductWindows← raw: windows

Servicentlm← raw: ntlm

Definition

Requires events from Microsoft-Windows-NTLM/Operational

Detection Logic

detection:
    selection:
        EventID: 8002
    condition: selection

False Positives

Legacy hosts

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

98c3bcf1-56f2-49dc-9d8d-c66cf190238b

Status

test

Level

low

Type

Detection

Created

Fri Jun 08

Modified

Mon Jul 22

Author

Path

rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml

Raw Tags

attack.defense-evasionattack.lateral-movementattack.t1550.002