SigmaHQ/rules/windows/builtin/win_net_ntlm_downgrade.yml

45 lines
1.3 KiB
YAML
Raw Normal View History

2018-03-20 14:03:55 +00:00
action: global
title: NetNTLM Downgrade Attack
2019-11-12 22:12:27 +00:00
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
description: Detects NetNTLM downgrade attack
2019-11-12 22:12:27 +00:00
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth
date: 2018/03/20
modified: 2020/08/23
2018-07-24 05:50:32 +00:00
tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
- attack.t1112
2018-03-20 14:03:55 +00:00
detection:
condition: 1 of them
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
2018-03-20 14:03:55 +00:00
selection1:
EventID: 13
2020-10-15 18:44:24 +00:00
TargetObject|endswith:
- 'SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
- 'SYSTEM\\*ControlSet*\Control\Lsa*\NtlmMinClientSec'
- 'SYSTEM\\*ControlSet*\Control\Lsa*\RestrictSendingNTLMTraffic'
2018-03-20 14:03:55 +00:00
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
2018-03-20 14:03:55 +00:00
detection:
selection2:
EventID: 4657
ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*'
2018-03-20 14:03:55 +00:00
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
- 'RestrictSendingNTLMTraffic'