SigmaHQ/rules/windows/builtin/win_susp_ntlm_auth.yml

title: NTLM Logon
id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
status: experimental
description: Detects logons using NTLM, which could be caused by a legacy source or attackers
references:
    - https://twitter.com/JohnLaTwC/status/1004895028995477505
    - https://goo.gl/PsqrhT
author: Florian Roth
date: 2018/06/08
tags:
    - attack.lateral_movement
    - attack.t1075
logsource:
    product: windows
    service: ntlm
    definition: Reqiures events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8002
        CallingProcessName: '*'  # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
    condition: selection
falsepositives:
    - Legacy hosts
level: low
Rule: NTLM logon 2018-06-08 09:45:49 +00:00			`title: NTLM Logon`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b`
Rule: NTLM logon 2018-06-08 09:45:49 +00:00			`status: experimental`
			`description: Detects logons using NTLM, which could be caused by a legacy source or attackers`
			`references:`
			`- https://twitter.com/JohnLaTwC/status/1004895028995477505`
			`- https://goo.gl/PsqrhT`
			`author: Florian Roth`
			`date: 2018/06/08`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
rules update 2019-03-05 23:43:42 +00:00			`- attack.lateral_movement`
			`- attack.t1075`
Rule: NTLM logon 2018-06-08 09:45:49 +00:00			`logsource:`
			`product: windows`
			`service: ntlm`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: Reqiures events from Microsoft-Windows-NTLM/Operational`
Rule: NTLM logon 2018-06-08 09:45:49 +00:00			`detection:`
			`selection:`
			`EventID: 8002`
			`CallingProcessName: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly`
			`condition: selection`
			`falsepositives:`
			`- Legacy hosts`
			`level: low`