Splunk Stream: Finding NTLM V1 and LM Usage

chris · ‎01-10-2018

Hi,

This article describes how NTLM v1 and LM usage can be detected: https://blogs.technet.microsoft.com/askds/2012/02/02/purging-old-nt-security-protocols/

Based on the article I came up with the following Wireshark filter:
(ntlmssp.auth.ntresponse) ||( !(ntlmssp.auth.lmresponse == 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00) && (ntlmssp.auth.lmresponse))

Is there a way I could configure/abuse the Splunk App for Stream to log events based on that filter?

It will probably be difficult/impossible to configure a regex based field using "src_content" or "dest_content"

In Splunk_TA_stream/default/vocabularies/smb.xml or Splunk_TA_stream/default/streams/smb I do not see any Fields that correspond to the Lan Manager Response OR NTLMv1 Response

Running Strings on streamfwd and grepping for smb shows that there is a SMBProtocolHandler implemented. So I suspect that the binary has to be modified. Is this assumption correct?

Regards
Chris

tdmcs · ‎05-07-2018

Here is what I have been using to find NTLM v1 authentications:
source=WinEventLog:Security eventtype=windows_logon_success AND AuthenticationPackageName=NTLM AND LmPackageName="NTLM V1"| table Computer, IpAddress, IpPort, AuthenticationPackageName, LmPackageName, LogonProcessName

Keep in mind that if Anonymous logons are allowed, you may also see a number of them in the result list. I have a separate query that filters those results out using the following addition:
AND TargetUserName!="ANONYMOUS LOGON"

Splunk Stream: Finding NTLM V1 and LM Usage

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life