SigmaHQ/rules/windows/builtin/win_net_ntlm_downgrade.yml

--- 
action: global
title: NetNTLM Downgrade Attack
description: Detects post exploitation using NetNTLM downgrade attacks
references: 
    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth
date: 2018/03/20
tags:
    - attack.credential_access
    - attack.t1212
detection:
    condition: 1 of them
falsepositives:
    - Unknown
level: critical
--- 
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 13
        TargetObject: 
            - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
            - '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec'
            - '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
    selection2:
        EventID: 4657
        ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
        ObjectValueName: 
            - 'LmCompatibilityLevel'
            - 'NtlmMinClientSec'
            - 'RestrictSendingNTLMTraffic'
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`---`
			`action: global`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`title: NetNTLM Downgrade Attack`
			`description: Detects post exploitation using NetNTLM downgrade attacks`
Corrected reference to references as per Sigma's standard 2018-12-25 13:25:12 +00:00			`references:`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks`
			`author: Florian Roth`
			`date: 2018/03/20`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.credential_access`
			`- attack.t1212`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`detection:`
			`condition: 1 of them`
			`falsepositives:`
			`- Unknown`
			`level: critical`
			`---`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`selection1:`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`EventID: 13`
			`TargetObject:`
Escaped '\' to '\\' where required 2019-02-02 23:24:57 +00:00			`- 'SYSTEM\\ControlSet*\Control\Lsa\lmcompatibilitylevel'`
			`- 'SYSTEM\\ControlSet*\Control\Lsa\NtlmMinClientSec'`
			`- 'SYSTEM\\ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`---`
			`# Windows Security Eventlog: Process Creation with Full Command Line`
			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`detection:`
			`selection2:`
			`EventID: 4657`
Escaped '\' to '\\' where required 2019-02-02 23:24:57 +00:00			`ObjectName: '\REGISTRY\MACHINE\SYSTEM\\ControlSet\Control\Lsa'`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`ObjectValueName:`
			`- 'LmCompatibilityLevel'`
			`- 'NtlmMinClientSec'`
			`- 'RestrictSendingNTLMTraffic'`