Skip to content

ntlm logon with impacket #5373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
woundride wants to merge 4 commits into from
Closed

ntlm logon with impacket #5373

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c60642b
ntlm logon with impacket
woundride Apr 19, 2025
9ecb2be
Update win_security_ad_suspicious_failed_ntlm_authent.yml
woundride Apr 20, 2025
7f73822
Update win_security_ad_suspicious_success_ntlm_authent.yml
woundride Apr 20, 2025
80866a1
Update win_security_ad_suspicious_failed_ntlm_authent.yml
woundride Apr 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions rules/windows/builtin/security/win_security_ad_suspicious_failed_ntlm_authent.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
title: Suspicious NTLM Logon Failure Without WorkstationName - Possible Impacket
id: a5b0db6d-7f9b-4d13-9f8e-b1b26f4625fa
status: experimental
description: Detects failed NTLM logons (Event ID 4625) with specific attributes and no workstation name, which could indicate malicious activity such as NTLM relay or password spraying.
author: Charles BLANC-ROLIN @woundride
date: 2025/04/19
logsource:
product: windows
service: security
category: logon
detection:
selection:
AuthenticationPackageName: NTLM
EventID: 4625
LogonType: 3
KeyLength: 0
SubjectUserSid: S-1-0-0
WorkstationName: '-'
condition: selection
fields:
- SubjectUserName
- IpAddress
- LogonProcessName
- WorkstationName
- TargetUserSid
falsepositives:
- Some legitimate system processes or misconfigured clients may lack workstationName
level: high
tags:
- attack.credential_access
- attack.t1110
- windows
- ntlm
33 changes: 33 additions & 0 deletions rules/windows/builtin/security/win_security_ad_suspicious_success_ntlm_authent.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
title: Suspicious NTLM Logon Success Without WorkstationName - Possible Impacket
id: 798fd9eb-7151-43a1-9717-b2b164abfe91
status: experimental
description: Detects success NTLM logons (Event ID 4624) with specific attributes and no workstation name, which could indicate malicious activity such as Impacket authentication.
author: Charles BLANC-ROLIN @woundride
date: 2025/04/19
logsource:
product: windows
service: security
category: logon
detection:
selection:
AuthenticationPackageName: NTLM
EventID: 4624
LogonType: 3
KeyLength: 0
SubjectUserSid: S-1-0-0
WorkstationName: '-'
condition: selection
fields:
- SubjectUserName
- IpAddress
- LogonProcessName
- WorkstationName
- TargetUserSid
falsepositives:
- Some legitimate system processes or misconfigured clients may lack workstationName
level: high
tags:
- attack.credential_access
- attack.t1110
- windows
- ntlm