Microsoft-Windows-NTLM

21 events across 3 channels

Event ID	Title	Channel
100	NTLM authentication failed because the account was a member of the Protected …	ProtectedUserFailures-DomainController
101	NTLM authentication failed because access control restrictions are required.	AuthenticationPolicyFailures-DomainController
301	NTLM authentication succeded, but it will fail when Authentication Policy is …	AuthenticationPolicyFailures-DomainController
4001	NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that …	Operational
4002	NTLM server blocked: Incoming NTLM traffic to servers that is blocked.	Operational
4003	NTLM server blocked in the domain: NTLM authentication in this domain that is …	Operational
4010	NTLM Minimum Client Security Block.	Operational
4011	NTLM Minimum Server Security Block.	Operational
4012	NTLM client used the domain password.	Operational
4013	Attempt to use NTLMv1 failed.	Operational
4014	Attempt to get credential key by call package blocked by Credential Guard.	Operational
4015	NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that …	Operational
4020	This machine attempted to authenticate to a remote resource via NTLM.	Operational
4021	This machine attempted to authenticate to a remote resource via NTLM.	Operational
4022	A remote client is using NTLM to authenticate to this workstation.	Operational
4023	A remote client is using NTLM to authenticate to this workstation.	Operational
4024	Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On.	Operational
4025	An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due …	Operational
8001	NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would …	Operational
8002	NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked.	Operational
8003	NTLM server blocked in the domain audit: Audit NTLM authentication in this …	Operational

Event ID 100 — NTLM authentication failed because the account was a member of the Protected User group.

Provider: Microsoft-Windows-NTLM
Channel: ProtectedUserFailures-DomainController

Description

NTLM authentication failed because the account was a member of the Protected User group.

Message #

NTLM authentication failed because the account was a member of the Protected User group.

Account Name: %1
Device Name: %2
Error Code: %3

Fields #

Name	Description
`Account_Name` UnicodeString	—
`Device_Name` UnicodeString	—
`Error_Code` HexInt32	—
`AccountName` UnicodeString	—
`DeviceName` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 101 — NTLM authentication failed because access control restrictions are required.

Provider: Microsoft-Windows-NTLM
Channel: AuthenticationPolicyFailures-DomainController

Description

NTLM authentication failed because access control restrictions are required.

Message #

NTLM authentication failed because access control restrictions are required.

Account Name: %1
Device Name: %2
Error Code: %3

Authentication Policy Information:
	Silo Name: %4
	PolicyName: %5

Fields #

Name	Description
`Account_Name` UnicodeString	—
`Device_Name` UnicodeString	—
`Error_Code` HexInt32	—
`Silo_Name` UnicodeString	[Authentication Policy Information] Silo Name.
`PolicyName` UnicodeString	[Authentication Policy Information] PolicyName.
`AccountName` UnicodeString	—
`DeviceName` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`SiloName` UnicodeString	—

Event ID 301 — NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required.

Provider: Microsoft-Windows-NTLM
Channel: AuthenticationPolicyFailures-DomainController

Description

NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required.

Message #

NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required.

Account Name: %1
Device Name: %2
Error Code: %3

Authentication Policy Information:
	Silo Name: %4
	PolicyName: %5

Fields #

Name	Description
`Account_Name` UnicodeString	—
`Device_Name` UnicodeString	—
`Error_Code` HexInt32	—
`Silo_Name` UnicodeString	[Authentication Policy Information] Silo Name.
`PolicyName` UnicodeString	[Authentication Policy Information] PolicyName.
`AccountName` UnicodeString	—
`DeviceName` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`SiloName` UnicodeString	—

Event ID 4001 — NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: 3
Collection Priority: Recommended (Yamato Security)
Task: BlockingNTLM

Description

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Message #

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

NTLM authentication requests from this computer are blocked.

If you want to allow this computer to use NTLM authentication, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.

If you want only the target server %1 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server %1 as an exception to use NTLM authentication.

Fields #

Name	Description
`TargetName` UnicodeString	—
`UserName` UnicodeString	—
`DomainName` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`ClientLUID` HexInt64	—
`ClientUserName` UnicodeString	—
`ClientDomainName` UnicodeString	—
`MechanismOID` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "ac43300d-5fcc-4800-8e99-1bd3f85f0320",
    "event_source_name": "",
    "event_id": 4001,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-05-03T21:03:06.9528515+00:00",
    "event_record_id": 32,
    "correlation": {
      "ActivityID": "64478093-d4f9-0001-1c81-4764f9d4dc01",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 976,
      "thread_id": 1364
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "DESKTOP-K7Q9MS2",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetName": "cifs/127.0.0.1",
    "UserName": "bogus",
    "DomainName": "BOGUS",
    "CallerPID": "4",
    "ProcessName": "",
    "ClientLUID": "0x4641e93",
    "ClientUserName": "localuser",
    "ClientDomainName": "DESKTOP-K7Q9MS2",
    "MechanismOID": "(NULL)"
  },
  "message": "NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.\r\nTarget server: cifs/127.0.0.1\r\nSupplied user: bogus\r\nSupplied domain: BOGUS\r\nPID of client process: 4\r\nName of client process: \r\nLUID of client process: 0x4641E93\r\nUser identity of client process: localuser\r\nDomain name of user identity of client process: DESKTOP-K7Q9MS2\r\nMechanism OID: (NULL)\r\n\r\nNTLM authentication requests from this computer are blocked.\r\n\r\nIf you want to allow this computer to use NTLM authentication, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.\r\n\r\nIf you want only the target server cifs/127.0.0.1 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server cifs/127.0.0.1 as an exception to use NTLM authentication."
}

Event ID 4002 — NTLM server blocked: Incoming NTLM traffic to servers that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: BlockingNTLM

Description

NTLM server blocked: Incoming NTLM traffic to servers that is blocked.

Message #

NTLM server blocked: Incoming NTLM traffic to servers that is blocked
Calling process PID: %1
Calling process name: %2
Calling process LUID: %3
Calling process user identity: %4
Calling process domain identity: %5
Mechanism OID: %6

NTLM authentication requests to this server have been blocked.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

Fields #

Name	Description
`Calling_process_PID` UInt32	—
`Calling_process_name` UnicodeString	—
`Calling_process_LUID` HexInt64	—
`Calling_process_user_identity` UnicodeString	—
`Calling_process_domain_identity` UnicodeString	—
`Mechanism_OID` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`ClientLUID` HexInt64	—
`ClientUserName` UnicodeString	—
`ClientDomainName` UnicodeString	—
`MechanismOID` UnicodeString	—

Event ID 4003 — NTLM server blocked in the domain: NTLM authentication in this domain that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: BlockingNTLM

Description

NTLM server blocked in the domain: NTLM authentication in this domain that is blocked.

Message #

NTLM server blocked in the domain: NTLM authentication in this domain that is blocked
User: %1
Domain: %2
Workstation: %3
PID: %4
Process: %5
Logon type: %6
InProc: %7
Mechanism: %8

NTLM authentication within the domain %2 is blocked.

If you want to allow NTLM authentication requests in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

Fields #

Name	Description
`User` UnicodeString	—
`Domain` UnicodeString	—
`Workstation` UnicodeString	—
`PID` UInt32	—
`Process` UnicodeString	—
`Logon_type` UInt32	— Logon type reference
`InProc` Boolean	—
`Mechanism` UnicodeString	—
`UserName` UnicodeString	—
`DomainName` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`LogonType` UInt32	— Logon type reference
`MechanismOID` UnicodeString	—

Event ID 4010 — NTLM Minimum Client Security Block.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

NTLM Minimum Client Security Block.

Message #

NTLM Minimum Client Security Block:
Calling process PID: %1
Calling Process Name: %2
Negotiated Security Flags: %3
Minimum Security Flags: %4

Fields #

Name	Description
`Calling_process_PID` UInt32	[NTLM Minimum Client Security Block] Calling process PID.
`Calling_Process_Name` UnicodeString	[NTLM Minimum Client Security Block] Calling Process Name.
`Negotiated_Security_Flags` HexInt32	[NTLM Minimum Client Security Block] Negotiated Security Flags.
`Minimum_Security_Flags` HexInt32	[NTLM Minimum Client Security Block] Minimum Security Flags.
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`NegotiatedSecurity` HexInt32	—
`RequiredSecurity` HexInt32	—

Event ID 4011 — NTLM Minimum Server Security Block.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

NTLM Minimum Server Security Block.

Message #

NTLM Minimum Server Security Block:
Calling process PID: %1
Calling Process Name: %2
Negotiated Security Flags: %3
Minimum Security Flags: %4

Fields #

Name	Description
`Calling_process_PID` UInt32	[NTLM Minimum Server Security Block] Calling process PID.
`Calling_Process_Name` UnicodeString	[NTLM Minimum Server Security Block] Calling Process Name.
`Negotiated_Security_Flags` HexInt32	[NTLM Minimum Server Security Block] Negotiated Security Flags.
`Minimum_Security_Flags` HexInt32	[NTLM Minimum Server Security Block] Minimum Security Flags.
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`NegotiatedSecurity` HexInt32	—
`RequiredSecurity` HexInt32	—

Event ID 4012 — NTLM client used the domain password.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

NTLM client used the domain password. The attempt to use the DC-generated NTLM secret failed, and fallback to the domain password succeeded.

Message #

NTLM client used the domain password. The attempt to use the DC-generated NTLM secret failed, and fallback to the domain password succeeded.
Account Name: %1
Device Name: %2

Fields #

Name	Description
`Account_Name` UnicodeString	—
`Device_Name` UnicodeString	—
`AccountName` UnicodeString	—
`DeviceName` UnicodeString	—

Event ID 4013 — Attempt to use NTLMv1 failed.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Attempt to use NTLMv1 failed.

Message #

Attempt to use NTLMv1 failed.

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

This device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826.

Fields #

Name	Description
`TargetName` UnicodeString	—
`UserName` UnicodeString	—
`DomainName` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`ClientLUID` HexInt64	—
`ClientUserName` UnicodeString	—
`ClientDomainName` UnicodeString	—
`MechanismOID` UnicodeString	—

Event ID 4014 — Attempt to get credential key by call package blocked by Credential Guard.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Error
Collection Priority: Recommended (Yamato Security)

Description

Attempt to get credential key by call package blocked by Credential Guard.

Message #

Attempt to get credential key by call package blocked by Credential Guard.

Calling Process Name: %1
Service Host Tag: %2

Fields #

Name	Description
`ImageName` UnicodeString	—
`SvcHostTag` UnicodeString	—
`Calling_Process_Name` UnicodeString	—
`Service_Host_Tag` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "AC43300D-5FCC-4800-8E99-1BD3F85F0320",
    "event_source_name": "",
    "event_id": 4014,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T01:53:29.127433+00:00",
    "event_record_id": 1103,
    "correlation": {
      "ActivityID": "EFDC13CA-B670-4786-969E-784D6C91B8C8"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 6076
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ImageName": "svchost",
    "SvcHostTag": ""
  },
  "message": ""
}

Event ID 4015 — NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: BlockingNTLM

Description

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Message #

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

An application on this computer attempted NTLM for authentication but the application explicitly blocks NTLM usage. Using an IP address or local user credentials from a remote computer may lead to an NTLM authentication attempt. This event does not mean that NTLM is blocked for all authentication attempts from this computer.

Fields #

Name	Description
`TargetName` UnicodeString	—
`UserName` UnicodeString	—
`DomainName` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`ClientLUID` HexInt64	—
`ClientUserName` UnicodeString	—
`ClientDomainName` UnicodeString	—
`MechanismOID` UnicodeString	—

Event ID 4020 — This machine attempted to authenticate to a remote resource via NTLM.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: AuditingNTLM

Description

This machine attempted to authenticate to a remote resource via NTLM.

Message #

This machine attempted to authenticate to a remote resource via NTLM.

Process Information:
	Process Name: %1
	Process PID: %2

Client Information:
	Username: %3
	Domain: %4
	Hostname: %5 
	Sign-On Type: %6

Target Information:
	Target Machine: %7
	Target Domain: %8
	Target Resource: %9
	Target IP: %10
	Target Network Name: %11

NTLM Usage:
	Reason ID: %12
	Reason: %13

NTLM Security:
	Negotiated Flags: %14
	NTLM Version: %15
	Session Key Status: %16
	Channel Binding: %17
	Service Binding: %18
	MIC Status: %19
	AvFlags: %20
	AvFlags String: %21

For more information, see aka.ms/ntlmlogandblock

Fields #

Name	Description
`ProcessName` UnicodeString	—
`ProcessPID` HexInt32	—
`Username` UnicodeString	—
`DomainName` UnicodeString	—
`Hostname` UnicodeString	—
`SingleSignOn` UnicodeString	—
`TargetMachine` UnicodeString	—
`TargetDomain` UnicodeString	—
`TargetService` UnicodeString	—
`TargetIP` UnicodeString	—
`TargetNetworkName` UnicodeString	—
`NtlmUsageId` UInt32	—
`NtlmUsageReason` UnicodeString	—
`NegotiatedFlags` HexInt32	—
`NtlmVersion` UnicodeString	—
`SessionKeyStatus` UnicodeString	—
`ChannelBindingStatus` UnicodeString	—
`ServiceBinding` UnicodeString	—
`MicStatus` UnicodeString	—
`AvlFlags` HexInt32	—
`AvlFlagsStr` UnicodeString	—

Event ID 4021 — This machine attempted to authenticate to a remote resource via NTLM.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: AuditingNTLM

Description

This machine attempted to authenticate to a remote resource via NTLM.

Message #

This machine attempted to authenticate to a remote resource via NTLM.

Process Information:
	Process Name: %1
	Process PID: %2

Client Information:
	Username: %3
	Domain: %4
	Hostname: %5 
	Sign-On Type: %6

Target Information:
	Target Machine: %7
	Target Domain: %8
	Target Resource: %9
	Target IP: %10
	Target Network Name: %11

NTLM Usage:
	Reason ID: %12
	Reason: %13

NTLM Security:
	Negotiated Flags: %14
	NTLM Version: %15
	Session Key Status: %16
	Channel Binding: %17
	Service Binding: %18
	MIC Status: %19
	AvFlags: %20
	AvFlags String: %21

For more information, see aka.ms/ntlmlogandblock

Fields #

Name	Description
`ProcessName` UnicodeString	—
`ProcessPID` HexInt32	—
`Username` UnicodeString	—
`DomainName` UnicodeString	—
`Hostname` UnicodeString	—
`SingleSignOn` UnicodeString	—
`TargetMachine` UnicodeString	—
`TargetDomain` UnicodeString	—
`TargetService` UnicodeString	—
`TargetIP` UnicodeString	—
`TargetNetworkName` UnicodeString	—
`NtlmUsageId` UInt32	—
`NtlmUsageReason` UnicodeString	—
`NegotiatedFlags` HexInt32	—
`NtlmVersion` UnicodeString	—
`SessionKeyStatus` UnicodeString	—
`ChannelBindingStatus` UnicodeString	—
`ServiceBinding` UnicodeString	—
`MicStatus` UnicodeString	—
`AvlFlags` HexInt32	—
`AvlFlagsStr` UnicodeString	—

Event ID 4022 — A remote client is using NTLM to authenticate to this workstation.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: AuditingNTLM

Description

A remote client is using NTLM to authenticate to this workstation.

Message #

A remote client is using NTLM to authenticate to this workstation.

Process Information:
	Process Name: %1
	Process PID: %2

Remote Client Information:
	Username: %3
	Domain: %4
	Client Machine: %5
	Client IP: %6
	Client Network Name: %7

NTLM Security:
	Negotiated Flags: %8
	NTLM Version: %9
	Session Key Status: %10
	Channel Binding: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	MIC Status: %15
	AvlFlags: %16
	AvlFlags String: %17

Status: %18
Status Message: %19

For more information, see aka.ms/ntlmlogandblock

Fields #

Name	Description
`ProcessName` UnicodeString	—
`ProcessPID` HexInt32	—
`Username` UnicodeString	—
`DomainName` UnicodeString	—
`RemoteClientMachine` UnicodeString	—
`ClientIP` UnicodeString	—
`ClientNetworkName` UnicodeString	—
`NegotiatedFlags` HexInt32	—
`NtlmVersion` UnicodeString	—
`SessionKeyStatus` UnicodeString	—
`ChannelBindingStatus` UnicodeString	—
`ServiceBinding` UnicodeString	—
`TargetMachine` UnicodeString	—
`TargetDomain` UnicodeString	—
`MicStatus` UnicodeString	—
`AvFlags` HexInt32	—
`AvFlagsStr` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`StatusMsg` UInt32	—

Event ID 4023 — A remote client is using NTLM to authenticate to this workstation.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: AuditingNTLM

Description

A remote client is using NTLM to authenticate to this workstation.

Message #

A remote client is using NTLM to authenticate to this workstation.

Process Information:
	Process Name: %1
	Process PID: %2

Remote Client Information:
	Username: %3
	Domain: %4
	Client Machine: %5
	Client IP: %6
	Client Network Name: %7

NTLM Security:
	Negotiated Flags: %8
	NTLM Version: %9
	Session Key Status: %10
	Channel Binding: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	MIC Status: %15
	AvlFlags: %16
	AvlFlags String: %17

Status: %18
Status Message: %19

For more information, see aka.ms/ntlmlogandblock

Fields #

Name	Description
`ProcessName` UnicodeString	—
`ProcessPID` HexInt32	—
`Username` UnicodeString	—
`DomainName` UnicodeString	—
`RemoteClientMachine` UnicodeString	—
`ClientIP` UnicodeString	—
`ClientNetworkName` UnicodeString	—
`NegotiatedFlags` HexInt32	—
`NtlmVersion` UnicodeString	—
`SessionKeyStatus` UnicodeString	—
`ChannelBindingStatus` UnicodeString	—
`ServiceBinding` UnicodeString	—
`TargetMachine` UnicodeString	—
`TargetDomain` UnicodeString	—
`MicStatus` UnicodeString	—
`AvFlags` HexInt32	—
`AvFlagsStr` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`StatusMsg` UInt32	—

Event ID 4024 — Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On.

Message #

Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On. 

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

For more information, see https://go.microsoft.com/fwlink/?linkid=2321802.

Fields #

Name	Description
`TargetName` UnicodeString	—
`UserName` UnicodeString	—
`DomainName` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`ClientLUID` HexInt64	—
`ClientUserName` UnicodeString	—
`ClientDomainName` UnicodeString	—
`MechanismOID` UnicodeString	—

Event ID 4025 — An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy.

Message #

An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy.

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

For more information, see https://go.microsoft.com/fwlink/?linkid=2321802.

Fields #

Name	Description
`TargetName` UnicodeString	—
`UserName` UnicodeString	—
`DomainName` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`ClientLUID` HexInt64	—
`ClientUserName` UnicodeString	—
`ClientDomainName` UnicodeString	—
`MechanismOID` UnicodeString	—

Event ID 8001 — NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Palantir, others)
Task: AuditingNTLM

Description

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

Message #

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

Audit the NTLM authentication requests from this computer that would be blocked by the target server %1 if the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Deny all.

If you want all servers to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.

If you want only the target server %1 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server %1 as an exception to use NTLM authentication.

Fields #

Name	Description
`TargetName` UnicodeString	—
`UserName` UnicodeString	—
`DomainName` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`ClientLUID` HexInt64	—
`ClientUserName` UnicodeString	—
`ClientDomainName` UnicodeString	—
`MechanismOID` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Potential Remote Desktop Connection to Non-Domain Host source medium: Detects logons using NTLM to hosts that are potentially not part of the domain.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)

Event ID 8002 — NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: AuditingNTLM

Description

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked.

Message #

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: %1
Calling process name: %2
Calling process LUID: %3
Calling process user identity: %4
Calling process domain identity: %5
Mechanism OID: %6

Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

Fields #

Name	Description
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`ClientLUID` HexInt64	—
`ClientUserName` UnicodeString	—
`ClientDomainName` UnicodeString	—
`MechanismOID` UnicodeString	—
`Calling_process_PID` UInt32	—
`Calling_process_name` UnicodeString	—
`Calling_process_LUID` HexInt64	—
`Calling_process_user_identity` UnicodeString	—
`Calling_process_domain_identity` UnicodeString	—
`Mechanism_OID` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "AC43300D-5FCC-4800-8E99-1BD3F85F0320",
    "event_source_name": "",
    "event_id": 8002,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T02:56:00.824258+00:00",
    "event_record_id": 1104,
    "correlation": {
      "ActivityID": "CC8E79E3-F5C5-4F46-89CF-44829F945FA1"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 12064
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CallerPID": 720,
    "ProcessName": "C:\\Windows\\System32\\lsass.exe",
    "ClientLUID": "0x3e4",
    "ClientUserName": "LAB-WIN11$",
    "ClientDomainName": "WORKGROUP",
    "MechanismOID": "(NULL)"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

NTLM Logon source low: Detects logons using NTLM, which could be caused by a legacy source or attackers

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)

Event ID 8003 — NTLM server blocked in the domain audit: Audit NTLM authentication in this domain.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: AuditingNTLM

Description

NTLM server blocked in the domain audit: Audit NTLM authentication in this domain.

Message #

NTLM server blocked in the domain audit: Audit NTLM authentication in this domain
User: %1
Domain: %2
Workstation: %3
PID: %4
Process: %5
Logon type: %6
InProc: %7
Mechanism: %8

Audit NTLM authentication requests within this domain that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to Deny for domain servers or Deny domain accounts to domain servers.

If you want to allow NTLM authentication requests in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain to use NTLM authentication.

Fields #

Name	Description
`UserName` UnicodeString	—
`DomainName` UnicodeString	—
`Workstation` UnicodeString	—
`CallerPID` UInt32	—
`ProcessName` UnicodeString	—
`LogonType` UInt32	— Logon type reference
`InProc` Boolean	—
`MechanismOID` UnicodeString	—
`User` UnicodeString	—
`Domain` UnicodeString	—
`PID` UInt32	—
`Process` UnicodeString	—
`Logon_type` UInt32	— Logon type reference
`Mechanism` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "AC43300D-5FCC-4800-8E99-1BD3F85F0320",
    "event_source_name": "",
    "event_id": 8003,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-09T00:55:20.842728+00:00",
    "event_record_id": 957,
    "correlation": {
      "ActivityID": "4F958266-269A-4D65-B9BD-F5FA499B7442"
    },
    "execution": {
      "process_id": 764,
      "thread_id": 3132
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UserName": "domainuser",
    "DomainName": "LUDUS",
    "Workstation": "(NULL)",
    "CallerPID": 764,
    "ProcessName": "C:\\Windows\\System32\\lsass.exe",
    "LogonType": 3,
    "InProc": true,
    "MechanismOID": "(NULL)"
  },
  "message": ""
}

Community Notes #

Appearing prior to 4624/4776 may indicate unsuccessful coercion probes.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)