SigmaHQ/rules/windows/builtin/win_net_ntlm_downgrade.yml

action: global
title: NetNTLM Downgrade Attack
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
description: Detects NetNTLM downgrade attack
references:
    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth
date: 2018/03/20
modified: 2020/08/23
tags:
    - attack.defense_evasion
    - attack.t1089          # an old one
    - attack.t1562.001
    - attack.t1112
detection:
    condition: 1 of them
falsepositives:
    - Unknown
level: critical
---
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 13
        TargetObject: 
            - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
            - '*SYSTEM\\*ControlSet*\Control\Lsa*\NtlmMinClientSec'
            - '*SYSTEM\\*ControlSet*\Control\Lsa*\RestrictSendingNTLMTraffic'
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
    selection2:
        EventID: 4657
        ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*'
        ObjectValueName: 
            - 'LmCompatibilityLevel'
            - 'NtlmMinClientSec'
            - 'RestrictSendingNTLMTraffic'
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`action: global`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`title: NetNTLM Downgrade Attack`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`description: Detects NetNTLM downgrade attack`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`references:`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks`
			`author: Florian Roth`
			`date: 2018/03/20`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`modified: 2020/08/23`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.defense_evasion`
			`- attack.t1089 # an old one`
			`- attack.t1562.001`
			`- attack.t1112`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`detection:`
			`condition: 1 of them`
			`falsepositives:`
			`- Unknown`
			`level: critical`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`---`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`selection1:`
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks 2018-03-20 10:07:21 +00:00			`EventID: 13`
			`TargetObject:`
Escaped '\' to '\\' where required 2019-02-02 23:24:57 +00:00			`- 'SYSTEM\\ControlSet*\Control\Lsa\lmcompatibilitylevel'`
Update the NTLM downgrade registry paths Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included. 2020-04-07 15:14:45 +00:00			`- 'SYSTEM\\ControlSet\Control\Lsa\NtlmMinClientSec'`
			`- 'SYSTEM\\ControlSet\Control\Lsa\RestrictSendingNTLMTraffic'`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`---`
			`# Windows Security Eventlog: Process Creation with Full Command Line`
			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`detection:`
			`selection2:`
			`EventID: 4657`
Update the NTLM downgrade registry paths Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included. 2020-04-07 15:14:45 +00:00			`ObjectName: '\REGISTRY\MACHINE\SYSTEM\\ControlSet\Control\Lsa*'`
Improved NetNTLM downgrade rule 2018-03-20 14:03:55 +00:00			`ObjectValueName:`
			`- 'LmCompatibilityLevel'`
			`- 'NtlmMinClientSec'`
			`- 'RestrictSendingNTLMTraffic'`