Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), waggaCreated Tue Mar 20Updated Sun Oct 09d3abac66-f11c-4ed0-8acb-50cc29c97eedwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

Requirements: Audit Policy : Object Access > Audit Registry (Success)

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 4657
        ObjectName|contains|all:
            - '\REGISTRY\MACHINE\SYSTEM'
            - 'ControlSet'
            - '\Control\Lsa'
        ObjectValueName:
            - 'LmCompatibilityLevel'
            - 'NtlmMinClientSec'
            - 'RestrictSendingNTLMTraffic'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
optiv.com
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

NetNTLM Downgrade Attack - Registry

Detects NetNTLM downgrade attack

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
d3abac66-f11c-4ed0-8acb-50cc29c97eed
Status
test
Level
high
Type
Detection
Created
Tue Mar 20
Modified
Sun Oct 09
Author
Florian Roth (Nextron Systems), wagga
Path
rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1562.001attack.t1112
View on GitHub