SigmaHQ/rules/windows/builtin/win_net_ntlm_downgrade.yml

42 lines
1.2 KiB
YAML
Raw Normal View History

2018-03-20 14:03:55 +00:00
---
action: global
title: NetNTLM Downgrade Attack
description: Detects post exploitation using NetNTLM downgrade attacks
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth
date: 2018/03/20
2018-07-24 05:50:32 +00:00
tags:
- attack.credential_access
- attack.t1212
2018-03-20 14:03:55 +00:00
detection:
condition: 1 of them
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
2018-03-20 14:03:55 +00:00
selection1:
EventID: 13
TargetObject:
2018-03-21 09:42:41 +00:00
- '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
- '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
- '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
2018-03-20 14:03:55 +00:00
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
2018-03-20 14:03:55 +00:00
detection:
selection2:
EventID: 4657
2018-03-21 09:47:14 +00:00
ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
2018-03-20 14:03:55 +00:00
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
- 'RestrictSendingNTLMTraffic'