Detectionhightest
NetNTLM Downgrade Attack - Registry
Detects NetNTLM downgrade attack
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Nextron Systems)Created Tue Mar 20Updated Tue Dec 03d67572a0-e2ec-45d6-b8db-c100d14b8ef2windows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event
Events for Windows Registry modifications including key creation, modification, and deletion.
Detection Logic
Detection Logic4 selectors
detection:
selection_regkey:
TargetObject|contains|all:
- 'SYSTEM\'
- 'ControlSet'
- '\Control\Lsa'
selection_value_lmcompatibilitylevel:
TargetObject|endswith: '\lmcompatibilitylevel'
Details:
- 'DWORD (0x00000000)'
- 'DWORD (0x00000001)'
- 'DWORD (0x00000002)'
selection_value_ntlmminclientsec:
TargetObject|endswith: '\NtlmMinClientSec'
Details:
- 'DWORD (0x00000000)' # No Security
- 'DWORD (0x00000010)' # Only Integrity
- 'DWORD (0x00000020)' # Only confidentiality
- 'DWORD (0x00000030)' # Both Integrity and confidentiality
selection_value_restrictsendingntlmtraffic:
# Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit).
# 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured
# Hence all values should be monitored and investigated
TargetObject|endswith: '\RestrictSendingNTLMTraffic'
condition: selection_regkey and 1 of selection_value_*False Positives
Services or tools that set the values to more restrictive values
MITRE ATT&CK
Techniques
Sub-techniques
Rule Metadata
Rule ID
d67572a0-e2ec-45d6-b8db-c100d14b8ef2
Status
test
Level
high
Type
Detection
Created
Tue Mar 20
Modified
Tue Dec 03
Path
rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1562.001attack.t1112