services or tools that set the values to more restrictive values

t1112
t1562
t1562.001
windows
sigma

Techniques

t1112
t1562
t1562.001

Sample rules

NetNTLM Downgrade Attack - Registry

source: sigma
technicques:
- t1112
- t1562
- t1562.001

Description

Detects NetNTLM downgrade attack

Detection logic

condition: selection_regkey and 1 of selection_value_*
selection_regkey:
  TargetObject|contains|all:
  - SYSTEM\
  - ControlSet
  - \Control\Lsa
selection_value_lmcompatibilitylevel:
  Details:
  - DWORD (0x00000000)
  - DWORD (0x00000001)
  - DWORD (0x00000002)
  TargetObject|endswith: \lmcompatibilitylevel
selection_value_ntlmminclientsec:
  Details:
  - DWORD (0x00000000)
  - DWORD (0x00000010)
  - DWORD (0x00000020)
  - DWORD (0x00000030)
  TargetObject|endswith: \NtlmMinClientSec
selection_value_restrictsendingntlmtraffic:
  TargetObject|endswith: \RestrictSendingNTLMTraffic