Hi,
This article describes how NTLM v1 and LM usage can be detected: https://blogs.technet.microsoft.com/askds/2012/02/02/purging-old-nt-security-protocols/
Based on the article I came up with the following Wireshark filter:
(ntlmssp.auth.ntresponse) ||( !(ntlmssp.auth.lmresponse == 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00) && (ntlmssp.auth.lmresponse))
Is there a way I could configure/abuse the Splunk App for Stream to log events based on that filter?
It will probably be difficult/impossible to configure a regex based field using "src_content" or "dest_content"
In Splunk_TA_stream/default/vocabularies/smb.xml or Splunk_TA_stream/default/streams/smb I do not see any Fields that correspond to the Lan Manager Response OR NTLMv1 Response
Running Strings on streamfwd and grepping for smb shows that there is a SMBProtocolHandler implemented. So I suspect that the binary has to be modified. Is this assumption correct?
Regards
Chris
Here is what I have been using to find NTLM v1 authentications:
source=WinEventLog:Security eventtype=windows_logon_success AND AuthenticationPackageName=NTLM AND LmPackageName="NTLM V1"| table Computer, IpAddress, IpPort, AuthenticationPackageName, LmPackageName, LogonProcessName
Keep in mind that if Anonymous logons are allowed, you may also see a number of them in the result list. I have a separate query that filters those results out using the following addition:
AND TargetUserName!="ANONYMOUS LOGON"