NTLMv1 Logon Between Client and Server

Severity: medium
Author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1550.002` Use Alternate Authentication Material: Pass the Hash
Lateral Movement	`T1550.002` Use Alternate Authentication Material: Pass the Hash

Event coverage

Provider	Event ID	Title
LsaSrv	6038	Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server.
LsaSrv	6039	Microsoft Windows Server has detected that NTLM authentication is being used between clients and this server.

Stages and Predicates

Stage 1: `selection`

Provider_Name: LsaSrv

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.