Microsoft-Windows-NTLM

21 events across 3 channels

Event ID	Title	Channel
100	NTLM authentication failed because the account was a member of the Protected …	ProtectedUserFailures-DomainController
101	NTLM authentication failed because access control restrictions are required.	AuthenticationPolicyFailures-DomainController
301	NTLM authentication succeded, but it will fail when Authentication Policy is …	AuthenticationPolicyFailures-DomainController
4001	NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that …	Operational
4002	NTLM server blocked: Incoming NTLM traffic to servers that is blocked Calling …	Operational
4003	NTLM server blocked in the domain: NTLM authentication in this domain that is …	Operational
4010	NTLM Minimum Client Security Block: Calling process PID: %1 Calling Process …	Operational
4011	NTLM Minimum Server Security Block: Calling process PID: %1 Calling Process …	Operational
4012	NTLM client used the domain password.	Operational
4013	Attempt to use NTLMv1 failed.	Operational
4014	Attempt to get credential key by call package blocked by Credential Guard.	Operational
4015	NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that …	Operational
4020	This machine attempted to authenticate to a remote resource via NTLM.	Operational
4021	This machine attempted to authenticate to a remote resource via NTLM.	Operational
4022	A remote client is using NTLM to authenticate to this workstation.	Operational
4023	A remote client is using NTLM to authenticate to this workstation.	Operational
4024	Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On.	Operational
4025	An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due …	Operational
8001	NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would …	Operational
8002	NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked …	Operational
8003	NTLM server blocked in the domain audit: Audit NTLM authentication in this …	Operational

Event ID 100 — NTLM authentication failed because the account was a member of the Protected User group.

Provider: Microsoft-Windows-NTLM
Channel: ProtectedUserFailures-DomainController

Message

NTLM authentication failed because the account was a member of the Protected User group.

Account Name:	%1
Device Name:	%2
Error Code:	%3

Fields

Name	Description
`Account_Name`	—
`Device_Name`	—
`Error_Code`	—
`AccountName`	—
`DeviceName`	—
`Status`	—

Event ID 101 — NTLM authentication failed because access control restrictions are required.

Provider: Microsoft-Windows-NTLM
Channel: AuthenticationPolicyFailures-DomainController

Message

NTLM authentication failed because access control restrictions are required.

Account Name:	%1
Device Name:	%2
Error Code:	%3

Authentication Policy Information:
	Silo Name:	%4
	PolicyName:	%5

Fields

Name	Description
`Account_Name`	—
`Device_Name`	—
`Error_Code`	—
`Silo_Name`	[Authentication Policy Information] Silo Name.
`PolicyName`	[Authentication Policy Information] PolicyName.
`AccountName`	—
`DeviceName`	—
`Status`	—
`SiloName`	—

Event ID 301 — NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required.

Provider: Microsoft-Windows-NTLM
Channel: AuthenticationPolicyFailures-DomainController

Message

NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required.

Account Name:	%1
Device Name:	%2
Error Code:	%3

Authentication Policy Information:
	Silo Name:	%4
	PolicyName:	%5

Fields

Name	Description
`Account_Name`	—
`Device_Name`	—
`Error_Code`	—
`Silo_Name`	[Authentication Policy Information] Silo Name.
`PolicyName`	[Authentication Policy Information] PolicyName.
`AccountName`	—
`DeviceName`	—
`Status`	—
`SiloName`	—

Event ID 4001 — NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

NTLM authentication requests from this computer are blocked.

If you want to allow this computer to use NTLM authentication, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.

If you want only the target server %1 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server %1 as an exception to use NTLM authentication.

Fields

Name	Description
`TargetName`	—
`UserName`	—
`DomainName`	—
`CallerPID`	—
`ProcessName`	—
`ClientLUID`	—
`ClientUserName`	—
`ClientDomainName`	—
`MechanismOID`	—

Event ID 4002 — NTLM server blocked: Incoming NTLM traffic to servers that is blocked Calling process PID: %1 Calling process name: %2 Calling process LUID: %3 Cal...

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM server blocked: Incoming NTLM traffic to servers that is blocked
Calling process PID: %1
Calling process name: %2
Calling process LUID: %3
Calling process user identity: %4
Calling process domain identity: %5
Mechanism OID: %6

NTLM authentication requests to this server have been blocked.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

Fields

Name	Description
`Calling_process_PID`	—
`Calling_process_name`	—
`Calling_process_LUID`	—
`Calling_process_user_identity`	—
`Calling_process_domain_identity`	—
`Mechanism_OID`	—
`CallerPID`	—
`ProcessName`	—
`ClientLUID`	—
`ClientUserName`	—
`ClientDomainName`	—
`MechanismOID`	—

Event ID 4003 — NTLM server blocked in the domain: NTLM authentication in this domain that is blocked User: %1 Domain: %2 Workstation: %3 PID: %4 Process: %5 Logon...

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM server blocked in the domain: NTLM authentication in this domain that is blocked
User: %1
Domain: %2
Workstation: %3
PID: %4
Process: %5
Logon type: %6
InProc: %7
Mechanism: %8

NTLM authentication within the domain %2 is blocked.

If you want to allow NTLM authentication requests in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

Fields

Name	Description
`User`	—
`Domain`	—
`Workstation`	—
`PID`	—
`Process`	—
`Logon_type`	—
`InProc`	—
`Mechanism`	—
`UserName`	—
`DomainName`	—
`CallerPID`	—
`ProcessName`	—
`LogonType`	—
`MechanismOID`	—

Event ID 4010 — NTLM Minimum Client Security Block: Calling process PID: %1 Calling Process Name: %2 Negotiated Security Flags: %3 Minimum Security Flags: %4.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM Minimum Client Security Block:
Calling process PID: %1
Calling Process Name: %2
Negotiated Security Flags: %3
Minimum Security Flags: %4

Fields

Name	Description
`Calling_process_PID`	[NTLM Minimum Client Security Block] Calling process PID.
`Calling_Process_Name`	[NTLM Minimum Client Security Block] Calling Process Name.
`Negotiated_Security_Flags`	[NTLM Minimum Client Security Block] Negotiated Security Flags.
`Minimum_Security_Flags`	[NTLM Minimum Client Security Block] Minimum Security Flags.
`CallerPID`	—
`ProcessName`	—
`NegotiatedSecurity`	—
`RequiredSecurity`	—

Event ID 4011 — NTLM Minimum Server Security Block: Calling process PID: %1 Calling Process Name: %2 Negotiated Security Flags: %3 Minimum Security Flags: %4.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM Minimum Server Security Block:
Calling process PID: %1
Calling Process Name: %2
Negotiated Security Flags: %3
Minimum Security Flags: %4

Fields

Name	Description
`Calling_process_PID`	[NTLM Minimum Server Security Block] Calling process PID.
`Calling_Process_Name`	[NTLM Minimum Server Security Block] Calling Process Name.
`Negotiated_Security_Flags`	[NTLM Minimum Server Security Block] Negotiated Security Flags.
`Minimum_Security_Flags`	[NTLM Minimum Server Security Block] Minimum Security Flags.
`CallerPID`	—
`ProcessName`	—
`NegotiatedSecurity`	—
`RequiredSecurity`	—

Event ID 4012 — NTLM client used the domain password.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM client used the domain password. The attempt to use the DC-generated NTLM secret failed, and fallback to the domain password succeeded.
Account Name:	%1
Device Name:	%2

Fields

Name	Description
`Account_Name`	—
`Device_Name`	—
`AccountName`	—
`DeviceName`	—

Event ID 4013 — Attempt to use NTLMv1 failed.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

Attempt to use NTLMv1 failed.

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

This device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826.

Fields

Name	Description
`TargetName`	—
`UserName`	—
`DomainName`	—
`CallerPID`	—
`ProcessName`	—
`ClientLUID`	—
`ClientUserName`	—
`ClientDomainName`	—
`MechanismOID`	—

Event ID 4014 — Attempt to get credential key by call package blocked by Credential Guard.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

Attempt to get credential key by call package blocked by Credential Guard.

Calling Process Name: %1
Service Host Tag: %2

Fields

Name	Description
`Calling_Process_Name`	—
`Service_Host_Tag`	—
`ImageName`	—
`SvcHostTag`	—

Event ID 4015 — NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

An application on this computer attempted NTLM for authentication but the application explicitly blocks NTLM usage. Using an IP address or local user credentials from a remote computer may lead to an NTLM authentication attempt. This event does not mean that NTLM is blocked for all authentication attempts from this computer.

Fields

Name	Description
`TargetName`	—
`UserName`	—
`DomainName`	—
`CallerPID`	—
`ProcessName`	—
`ClientLUID`	—
`ClientUserName`	—
`ClientDomainName`	—
`MechanismOID`	—

Event ID 4020 — This machine attempted to authenticate to a remote resource via NTLM.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

This machine attempted to authenticate to a remote resource via NTLM.

Process Information:
	Process Name: %1
	Process PID: %2

Client Information:
	Username: %3
	Domain: %4
	Hostname: %5 
	Sign-On Type: %6

Target Information:
	Target Machine: %7
	Target Domain: %8
	Target Resource: %9
	Target IP: %10
	Target Network Name: %11

NTLM Usage:
	Reason ID: %12
	Reason: %13

NTLM Security:
	Negotiated Flags: %14
	NTLM Version: %15
	Session Key Status: %16
	Channel Binding: %17
	Service Binding: %18
	MIC Status: %19
	AvFlags: %20
	AvFlags String: %21

For more information, see aka.ms/ntlmlogandblock

Fields

Name	Description
`ProcessName`	—
`ProcessPID`	—
`Username`	—
`DomainName`	—
`Hostname`	—
`SingleSignOn`	—
`TargetMachine`	—
`TargetDomain`	—
`TargetService`	—
`TargetIP`	—
`TargetNetworkName`	—
`NtlmUsageId`	—
`NtlmUsageReason`	—
`NegotiatedFlags`	—
`NtlmVersion`	—
`SessionKeyStatus`	—
`ChannelBindingStatus`	—
`ServiceBinding`	—
`MicStatus`	—
`AvlFlags`	—
`AvlFlagsStr`	—

Event ID 4021 — This machine attempted to authenticate to a remote resource via NTLM.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

This machine attempted to authenticate to a remote resource via NTLM.

Process Information:
	Process Name: %1
	Process PID: %2

Client Information:
	Username: %3
	Domain: %4
	Hostname: %5 
	Sign-On Type: %6

Target Information:
	Target Machine: %7
	Target Domain: %8
	Target Resource: %9
	Target IP: %10
	Target Network Name: %11

NTLM Usage:
	Reason ID: %12
	Reason: %13

NTLM Security:
	Negotiated Flags: %14
	NTLM Version: %15
	Session Key Status: %16
	Channel Binding: %17
	Service Binding: %18
	MIC Status: %19
	AvFlags: %20
	AvFlags String: %21

For more information, see aka.ms/ntlmlogandblock

Fields

Name	Description
`ProcessName`	—
`ProcessPID`	—
`Username`	—
`DomainName`	—
`Hostname`	—
`SingleSignOn`	—
`TargetMachine`	—
`TargetDomain`	—
`TargetService`	—
`TargetIP`	—
`TargetNetworkName`	—
`NtlmUsageId`	—
`NtlmUsageReason`	—
`NegotiatedFlags`	—
`NtlmVersion`	—
`SessionKeyStatus`	—
`ChannelBindingStatus`	—
`ServiceBinding`	—
`MicStatus`	—
`AvlFlags`	—
`AvlFlagsStr`	—

Event ID 4022 — A remote client is using NTLM to authenticate to this workstation.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

A remote client is using NTLM to authenticate to this workstation.

Process Information:
	Process Name: %1
	Process PID: %2

Remote Client Information:
	Username: %3
	Domain: %4
	Client Machine: %5
	Client IP: %6
	Client Network Name: %7

NTLM Security:
	Negotiated Flags: %8
	NTLM Version: %9
	Session Key Status: %10
	Channel Binding: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	MIC Status: %15
	AvlFlags: %16
	AvlFlags String: %17

Status: %18
Status Message: %19

For more information, see aka.ms/ntlmlogandblock

Fields

Name	Description
`ProcessName`	—
`ProcessPID`	—
`Username`	—
`DomainName`	—
`RemoteClientMachine`	—
`ClientIP`	—
`ClientNetworkName`	—
`NegotiatedFlags`	—
`NtlmVersion`	—
`SessionKeyStatus`	—
`ChannelBindingStatus`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 4023 — A remote client is using NTLM to authenticate to this workstation.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

A remote client is using NTLM to authenticate to this workstation.

Process Information:
	Process Name: %1
	Process PID: %2

Remote Client Information:
	Username: %3
	Domain: %4
	Client Machine: %5
	Client IP: %6
	Client Network Name: %7

NTLM Security:
	Negotiated Flags: %8
	NTLM Version: %9
	Session Key Status: %10
	Channel Binding: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	MIC Status: %15
	AvlFlags: %16
	AvlFlags String: %17

Status: %18
Status Message: %19

For more information, see aka.ms/ntlmlogandblock

Fields

Name	Description
`ProcessName`	—
`ProcessPID`	—
`Username`	—
`DomainName`	—
`RemoteClientMachine`	—
`ClientIP`	—
`ClientNetworkName`	—
`NegotiatedFlags`	—
`NtlmVersion`	—
`SessionKeyStatus`	—
`ChannelBindingStatus`	—
`ServiceBinding`	—
`TargetMachine`	—
`TargetDomain`	—
`MicStatus`	—
`AvFlags`	—
`AvFlagsStr`	—
`Status`	—
`StatusMsg`	—

Event ID 4024 — Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On. 

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

For more information, see https://go.microsoft.com/fwlink/?linkid=2321802.

Fields

Name	Description
`TargetName`	—
`UserName`	—
`DomainName`	—
`CallerPID`	—
`ProcessName`	—
`ClientLUID`	—
`ClientUserName`	—
`ClientDomainName`	—
`MechanismOID`	—

Event ID 4025 — An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy.

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

For more information, see https://go.microsoft.com/fwlink/?linkid=2321802.

Fields

Name	Description
`TargetName`	—
`UserName`	—
`DomainName`	—
`CallerPID`	—
`ProcessName`	—
`ClientLUID`	—
`ClientUserName`	—
`ClientDomainName`	—
`MechanismOID`	—

Event ID 8001 — NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

Audit the NTLM authentication requests from this computer that would be blocked by the target server %1 if the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Deny all.

If you want all servers to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.

If you want only the target server %1 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server %1 as an exception to use NTLM authentication.

Fields

Name	Description
`TargetName`	—
`UserName`	—
`DomainName`	—
`CallerPID`	—
`ProcessName`	—
`ClientLUID`	—
`ClientUserName`	—
`ClientDomainName`	—
`MechanismOID`	—

Sigma Rules

Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.

References

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)

Event ID 8002 — NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked Calling process PID: %1 Calling process name: %2 Calling process LUID:...

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: %1
Calling process name: %2
Calling process LUID: %3
Calling process user identity: %4
Calling process domain identity: %5
Mechanism OID: %6

Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

Fields

Name	Description
`Calling_process_PID`	—
`Calling_process_name`	—
`Calling_process_LUID`	—
`Calling_process_user_identity`	—
`Calling_process_domain_identity`	—
`Mechanism_OID`	—
`CallerPID`	—
`ProcessName`	—
`ClientLUID`	—
`ClientUserName`	—
`ClientDomainName`	—
`MechanismOID`	—

Sigma Rules

NTLM Logon
Detects logons using NTLM, which could be caused by a legacy source or attackers

References

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)

Event ID 8003 — NTLM server blocked in the domain audit: Audit NTLM authentication in this domain User: %1 Domain: %2 Workstation: %3 PID: %4 Process: %5 Logon typ...

Provider: Microsoft-Windows-NTLM
Channel: Operational

Message

NTLM server blocked in the domain audit: Audit NTLM authentication in this domain
User: %1
Domain: %2
Workstation: %3
PID: %4
Process: %5
Logon type: %6
InProc: %7
Mechanism: %8

Audit NTLM authentication requests within this domain that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to Deny for domain servers or Deny domain accounts to domain servers.

If you want to allow NTLM authentication requests in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain to use NTLM authentication.

Fields

Name	Description
`User`	—
`Domain`	—
`Workstation`	—
`PID`	—
`Process`	—
`Logon_type`	—
`InProc`	—
`Mechanism`	—
`UserName`	—
`DomainName`	—
`CallerPID`	—
`ProcessName`	—
`LogonType`	—
`MechanismOID`	—

Community Notes

Appearing prior to 4624/4776 may indicate unsuccessful coercion probes.

References

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)