Detect NTLMv1 Authentications (Windows Event Logs)
This query detects NTLM v1 authentications using Windows Event Log telemetry.
EDRhunting
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
| windows.EventData.AuthenticationPackageName=NTLM
| windows.EventData.LmPackageName!= "NTLM V2"
| groupBy([windows.EventData.WorkstationName, user.target.name, windows.EventData.KeyLength])
| rename(field="windows.EventData.WorkstationName", as="Hostname")
| rename(field="user.target.name", as="Username")
| rename(field="windows.EventData.KeyLength", as="KeyLength")
| sort(field=KeyLength,type=number,order=desc)
| case{
KeyLength = 128
| SSP := "Yes";
in(field="KeyLength", values=[0,40,56])
| SSP := "No"
}
| table([Hostname,Username,KeyLength,SSP])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.