detection.wiki

Microsoft-Windows-NTLM › Event 8001

Event ID 8001 — NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

Provider
Microsoft-Windows-NTLM
Channel
Operational
Collection Priority
Recommended (Palantir, others)
Task
AuditingNTLM

Description

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

Message #

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

Audit the NTLM authentication requests from this computer that would be blocked by the target server %1 if the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Deny all.

If you want all servers to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.

If you want only the target server %1 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server %1 as an exception to use NTLM authentication.

Fields #

NameDescription
TargetName UnicodeString
UserName UnicodeString
DomainName UnicodeString
CallerPID UInt32
ProcessName UnicodeString
ClientLUID HexInt64
ClientUserName UnicodeString
ClientDomainName UnicodeString
MechanismOID UnicodeString

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

References #