Event ID 6038 — Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server.

Provider: LsaSrv
Channel: System
Level: Warning

Message #

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
 
NTLM is a weaker authentication mechanism. Please check:
 
      Which applications are using NTLM authentication?
      Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
      If NTLM must be supported, is Extended Protection configured?
 
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

Fields #

Name	Description
`Data_0`	—
`Binary`	—

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "{199fe037-2b82-40a9-82ac-e1d46c792b99}",
    "event_source_name": "LsaSrv",
    "event_id": 6038,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T17:39:24.046564+00:00",
    "event_record_id": 1326,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "",
    "Binary": ""
  },
  "message": ""
}

Detection Patterns #

Defense Evasion: Pass the Hash

LsaSrv Event ID 6038: Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server.OREvent ID 6039: Microsoft Windows Server has detected that NTLM authentication is being used between clients and this server.

1 rule

Sigma

NTLMv1 Logon Between Client and Server (source)

Tim Shelton, Nasreddine Bencherchali (Nextron Systems)

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline