Detect NTLMv1 Authentications (Windows Event Logs)

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Detect NTLMv1 Authentications (Windows Event Logs)

# Description of what the query does and its purpose.
# Using the YAML block scalar `|` allows for multi-line strings.
description: |
  This query detects NTLM v1 authentications using Windows Event Log telemetry. 

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Hunting

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  | windows.EventData.AuthenticationPackageName=NTLM
  | windows.EventData.LmPackageName!= "NTLM V2" 
  | groupBy([windows.EventData.WorkstationName, user.target.name, windows.EventData.KeyLength])
  | rename(field="windows.EventData.WorkstationName", as="Hostname")
  | rename(field="user.target.name", as="Username")
  | rename(field="windows.EventData.KeyLength", as="KeyLength")
  | sort(field=KeyLength,type=number,order=desc)
  | case{
    KeyLength = 128
    | SSP := "Yes";
    in(field="KeyLength", values=[0,40,56])
    | SSP := "No"
  }
  | table([Hostname,Username,KeyLength,SSP])

explanation: |
  [Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables?linkId=38338466&hl=en)