Detectionmediumtest

NTLMv1 Logon Between Client and Server

Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim Shelton, Nasreddine Bencherchali (Nextron Systems)Created Tue Apr 26Updated Tue Jun 06e9d4ab66-a532-4ef7-a502-66a9e4a34f5dwindows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        Provider_Name: "LsaSrv"
        EventID:
            - 6038
            - 6039
    condition: selection

False Positives

Environments that use NTLMv1

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0008 · Lateral Movement

Sub-techniques

T1550.002 · Pass the Hash

Rule Metadata

Rule ID

e9d4ab66-a532-4ef7-a502-66a9e4a34f5d

Status

test

Level

medium

Type

Detection

Created

Tue Apr 26

Modified

Tue Jun 06

Author

Tim Shelton, Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml

Raw Tags

attack.defense-evasionattack.lateral-movementattack.t1550.002

View on GitHub