Potential NetNTLMv1 Downgrade Attack via Registry Modification

This rule detects a specific defense evasion technique where an attacker modifies the Windows registry to force a system to use the less secure NTLMv1 authentication protocol. This is known as a NetNTLMv1 downgrade attack. The registry modification involves changing the LmCompatibilityLevel value, which controls the authentication level. Attackers with local administrator privileges can perform this modification to weaken the authentication mechanism, making it easier to intercept and crack credentials. The rule is designed to detect this activity by monitoring registry events from various sources, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Crowdstrike. It is important to monitor for this activity as it can lead to credential theft and further compromise of the system.

Attack Chain

1. The attacker gains local administrator privileges on a Windows system.
2. The attacker uses a registry editor or command-line tool (e.g., reg.exe, PowerShell) to modify the LmCompatibilityLevel value in the registry.
3. The attacker navigates to one of the following registry paths: HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel or HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
4. The attacker sets the LmCompatibilityLevel value to “0”, “1”, or “2” (or their hexadecimal equivalents “0x00000000”, “0x00000001”, “0x00000002”). These values force the system to use NTLMv1.
5. The system now uses NTLMv1 for authentication attempts.
6. The attacker initiates a man-in-the-middle attack to capture NTLMv1 authentication traffic using tools like Responder or Inveigh.
7. The captured NTLMv1 hashes are cracked using brute-force or dictionary attacks, revealing the user’s credentials.
8. The attacker uses the compromised credentials to gain unauthorized access to network resources or other systems.

Impact

A successful NetNTLMv1 downgrade attack can lead to the compromise of user credentials, enabling attackers to move laterally within the network, access sensitive data, and potentially escalate privileges. The impact can range from data breaches to complete system compromise, depending on the attacker’s objectives and the compromised user’s privileges.

Recommendation

• Deploy the Sigma rule “Potential NetNTLMv1 Downgrade Attack” to detect registry modifications setting LmCompatibilityLevel to insecure values (0, 1, 2) within the specified registry paths.
• Enable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function correctly.
• Review registry event logs for unauthorized modifications of LmCompatibilityLevel to confirm legitimate administrative actions.
• Implement strict access control policies to limit local administrator privileges and reduce the attack surface.
• Monitor the references URL for updates on recommended security configurations related to NTLM authentication.