sigmalowHunting

NTLM Logon

Detects logons using NTLM, which could be caused by a legacy source or attackers

MITRE ATT&CK

defense-evasionlateral-movement

Detection Query

selection:
  EventID: 8002
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2018-06-08

Data Sources

windowsntlm

Platforms

windows

References

https://twitter.com/JohnLaTwC/status/1004895028995477505

Tags

attack.defense-evasionattack.lateral-movementattack.t1550.002

Raw Content

title: NTLM Logon
id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
status: test
description: Detects logons using NTLM, which could be caused by a legacy source or attackers
references:
    - https://twitter.com/JohnLaTwC/status/1004895028995477505
author: Florian Roth (Nextron Systems)
date: 2018-06-08
modified: 2024-07-22
tags:
    - attack.defense-evasion
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8002
    condition: selection
falsepositives:
    - Legacy hosts
level: low