Ntlm — CraftedSignal Threat Feed

Potential NetNTLMv1 Downgrade Attack via Registry Modification

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

This rule detects a specific defense evasion technique where an attacker modifies the Windows registry to force a system to use the less secure NTLMv1 authentication protocol. This is known as a NetNTLMv1 downgrade attack. The registry modification involves changing the LmCompatibilityLevel value, which controls the authentication level. Attackers with local administrator privileges can perform this modification to weaken the authentication mechanism, making it easier to intercept and crack credentials. The rule is designed to detect this activity by monitoring registry events from various sources, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Crowdstrike. It is important to monitor for this activity as it can lead to credential theft and further compromise of the system.

Attack Chain

The attacker gains local administrator privileges on a Windows system.
The attacker uses a registry editor or command-line tool (e.g., reg.exe, PowerShell) to modify the LmCompatibilityLevel value in the registry.
The attacker navigates to one of the following registry paths: HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel or HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
The attacker sets the LmCompatibilityLevel value to “0”, “1”, or “2” (or their hexadecimal equivalents “0x00000000”, “0x00000001”, “0x00000002”). These values force the system to use NTLMv1.
The system now uses NTLMv1 for authentication attempts.
The attacker initiates a man-in-the-middle attack to capture NTLMv1 authentication traffic using tools like Responder or Inveigh.
The captured NTLMv1 hashes are cracked using brute-force or dictionary attacks, revealing the user’s credentials.
The attacker uses the compromised credentials to gain unauthorized access to network resources or other systems.

Impact

A successful NetNTLMv1 downgrade attack can lead to the compromise of user credentials, enabling attackers to move laterally within the network, access sensitive data, and potentially escalate privileges. The impact can range from data breaches to complete system compromise, depending on the attacker’s objectives and the compromised user’s privileges.

Recommendation

Deploy the Sigma rule “Potential NetNTLMv1 Downgrade Attack” to detect registry modifications setting LmCompatibilityLevel to insecure values (0, 1, 2) within the specified registry paths.
Enable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function correctly.
Review registry event logs for unauthorized modifications of LmCompatibilityLevel to confirm legitimate administrative actions.
Implement strict access control policies to limit local administrator privileges and reduce the attack surface.
Monitor the references URL for updates on recommended security configurations related to NTLM authentication.

SiYuan Zero-Click NTLM Theft and Blind SSRF via Mermaid Diagrams

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

SiYuan, a note-taking application, is vulnerable to a zero-click NTLM hash theft and blind SSRF exploit due to insecure configuration of Mermaid.js. The application configures Mermaid.js with securityLevel: "loose" and htmlLabels: true, which allows tags with src attributes to bypass sanitization and be injected into SVG blocks. When a user opens a note containing a malicious Mermaid diagram with a protocol-relative URL (e.g., //attacker.com/image.png), the Electron client fetches the URL. On Windows, this resolves as a UNC path, triggering SMB authentication and sending the victim’s NTLMv2 hash to the attacker. On macOS and Linux, the same diagram triggers an HTTP request to the attacker’s server, exfiltrating the victim’s IP address. The vulnerability affects SiYuan versions prior to the fix implemented after April 7, 2026. This allows for credential theft without any user interaction beyond opening a note.

Attack Chain

The attacker crafts a malicious SiYuan note containing a Mermaid diagram with a protocol-relative URL within an tag, such as .
The attacker distributes the malicious note (e.g., via sharing or a crafted .sy export).
The victim opens the note in SiYuan.
SiYuan renders the Mermaid diagram using the insecure Mermaid.js configuration.
The SVG containing the malicious tag is injected into the DOM via innerHTML.
The Electron client attempts to fetch the resource at the protocol-relative URL.
On Windows, the protocol-relative URL resolves to a UNC path (\\attacker.com\share\img.png), initiating an SMB connection.
Windows automatically sends the victim’s NTLMv2 hash to the attacker’s SMB server, or makes an HTTP request leaking victim’s IP on other platforms.

Impact

The vulnerability allows for zero-click NTLMv2 hash theft on Windows systems, where the victim only needs to open a note containing the malicious Mermaid diagram. The stolen NTLMv2 hashes can be cracked offline or used in relay attacks to gain unauthorized access to the victim’s resources. On all platforms, this vulnerability can be exploited to perform blind SSRF and leak the victim’s IP address, acting as a tracking pixel to confirm when the note was opened. This affects all SiYuan users who receive a crafted note.

Recommendation

Deploy the Sigma rule Detect SiYuan Mermaid NTLM Theft Attempt to identify SMB traffic originating from SiYuan processes attempting to connect to external IPs (network_connection log source).
Deploy the Sigma rule Detect SiYuan Mermaid SSRF Attempt to detect HTTP requests from SiYuan to external IP addresses with a suspicious URL (network_connection log source).
Monitor network traffic for SMB connections originating from SiYuan, especially to unusual or external destinations (network_connection log source).
Block the attacker’s domain (attacker.com) at the DNS resolver, as observed in the malicious Mermaid diagram example (iocs).
Upgrade SiYuan to a patched version that addresses CVE-2026-40107 to mitigate the underlying vulnerability.

Detecting Rare SMB Connections for Potential NTLM Credential Theft

hello@craftedsignal.io — Thu, 25 Jan 2024 12:00:00 +0000

This detection strategy focuses on identifying unusual Server Message Block (SMB) traffic that originates from internal IP addresses and connects to external networks. The SMB protocol, commonly used for file and printer sharing within a network, can be exploited to exfiltrate data by injecting rogue UNC paths to capture NTLM credentials. This activity is often associated with threat actors attempting to steal credentials for lateral movement or data exfiltration. Defenders should be aware of this technique as it allows adversaries to bypass traditional security controls by leveraging a legitimate protocol for malicious purposes. This detection is relevant for environments utilizing Windows operating systems and SMB for internal network communications. The goal is to identify and alert on SMB connections to external IPs, excluding known safe ranges and legitimate business applications.

Attack Chain

An attacker compromises an internal system via phishing or other means (not detailed in source).
The attacker injects a rogue UNC path into a document, email, or other medium.
A user opens the malicious document or clicks the injected link, triggering an SMB connection to a malicious external server.
The SMB connection attempts to authenticate with the user’s NTLM credentials.
The attacker captures the NTLM hash from the authentication attempt.
The attacker attempts to crack the NTLM hash to obtain the user’s password.
Using the cracked password, the attacker gains unauthorized access to other systems and resources on the network.

Impact

Successful exploitation can lead to credential theft, allowing attackers to gain unauthorized access to sensitive data and systems within the organization. This can result in data breaches, financial losses, and reputational damage. The impact is significant because SMB is a common protocol within many Windows environments, making this technique highly effective if not properly monitored.

Recommendation

Deploy the Sigma rule “Detect SMB Connection to External IP” to your SIEM to identify potentially malicious SMB connections to the internet. Tune the rule by excluding known good external IPs used by legitimate services.
Enable Sysmon Event ID 3 (Network Connection) with proper filtering to capture SMB traffic details as recommended in the linked setup guide, to enhance the fidelity of the detection.
Implement network segmentation to restrict SMB traffic to only necessary internal communications, reducing the attack surface and mitigating the risk of external exposure.