Adversaries may be attempting a NetNTLM downgrade attack to intercept and manipulate NTLM authentication traffic, leveraging weak encryption to gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or credential compromise attempts early.
Detection Rule
title: NetNTLM Downgrade Attack
id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
related:
- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
type: derived
status: test
description: Detects NetNTLM downgrade attack
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth (Nextron Systems), wagga
date: 2018-03-20
modified: 2022-10-09
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1562.001
- attack.t1112
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
selection:
EventID: 4657
ObjectName|contains|all:
- '\REGISTRY\MACHINE\SYSTEM'
- 'ControlSet'
- '\Control\Lsa'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
- 'RestrictSendingNTLMTraffic'
condition: selection
falsepositives:
- Unknown
level: high
imRegistry
| where (RegistryKey contains "\\REGISTRY\\MACHINE\\SYSTEM" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Control\\Lsa") and (RegistryValue in~ ("LmCompatibilityLevel", "NtlmMinClientSec", "RestrictSendingNTLMTraffic"))Scenario: Scheduled System Maintenance Task Using NetNTLM
Description: A legitimate scheduled task (e.g., schtasks.exe) is configured to use NetNTLM for authentication during system maintenance.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.name == "schtasks.exe"
Scenario: Admin Performing Remote Management with NetNTLM
Description: An administrator uses a tool like PsExec or WinRM to remotely manage a server, which may trigger NetNTLM traffic.
Filter/Exclusion: process.name == "psexec.exe" or process.name == "winrm.exe" and check for admin privileges via user.domain == "DOMAIN_ADMIN"
Scenario: Legacy Application Using NetNTLM for Compatibility
Description: A legacy enterprise application (e.g., SQL Server or Exchange) uses NetNTLM for backward compatibility with older clients.
Filter/Exclusion: process.name == "sqlservr.exe" or process.name == "msexch.exe" and check for known legacy application IPs or hosts.
Scenario: User-Initiated File Transfer with NetNTLM
Description: A user transfers files using a tool like Robocopy or NetUse that authenticates via NetNTLM.
Filter/Exclusion: process.name == "robocopy.exe" or process.name == "net.exe" and check for user-initiated traffic via user.name or user.domain.
Scenario: Network Discovery Tool Using NetNTLM for Enumeration
Description: A network discovery tool like Nmap or Masscan may use NetNTLM for SMB enumeration in a controlled environment.
Filter/Exclusion: `process.name == “nmap