How to audit NTLM?

I’ve seen the following blog post last week about Stop using LAN Manager and NTLMv1!

The first step proposed that sounds reasonable and wise is to audit event ID 4624.
Here’s one way to do it:

$c =  Get-Credential 
$xml = @'
 <Query Id="0" Path="security">
  <Select Path="security">
     *[EventData[Data[@Name='LmPackageName']!='NTLM V2']]
(Get-ADDomainController  -Filter *).HostName | 
Where { $_ -notin @('dc1.fqdn','dc3.fqdn') } | 
ForEach-Object {
 Get-WinEvent -ComputerName $_ -FilterXml $xml  -ErrorAction SilentlyContinue -Credential $c | # -MaxEvents 1
 ForEach-Object {
  $h = @{}
  ([xml]$_.Toxml()).Event.EventData.Data | 
  ForEach-Object {
} | Out-GridView

The above example shows how to audit 4624 events on domain controllers but you can also audit 4624 events on any computer.

What else could be done to audit NTLM?
You can also enable specific NTLM auditing on every computer using group policies.
By default, it’s empty and off.

But once you’ve activated these 3 settings:

You can also activate these settings using the following registry modifications:

# Audit NTLM Authentication in this domain: Enable all
$HT = @{ Path = 'HKLM:\SYSTEM\CurrentControlSet\services\Netlogon\Parameters' }
Set-ItemProperty @HT -Name AuditNTLMInDomain -Value 7

# Audit incoming NTLM traffic: Enable auditing for all accounts
$HT = @{ Path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' }
Set-ItemProperty @HT -Name AuditReceivingNTLMTraffic -Value 2

# Restrict NTLM: Outgoing NTLM traffic to remote servers: Audit All
$HT = @{ Path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' }
Set-ItemProperty @HT -Name RestrictSendingNTLMTraffic -Value 1

To list what events will be logged you can do:

(Get-WinEvent -ListProvider Microsoft-Windows-NTLM).Events | 
Select Id,Description | 

When auditing is enabled, we should look at 8001,8002 and 8003 events.
Here’s how to have a quick overview of both 8001 and 8002 events combined:

# NTLM client blocked audit: 
# Audit outgoing NTLM authentication traffic that would be blocked.
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-NTLM/Operational' ; Id = 8001,8002 } |
ForEach-Object {
 $e = $_
 switch ($e.Id) {
  8001 {
   $Direction = 'Out'
   $TargetName = $e.Properties[0].Value ;
   $ProcessID = $e.Properties[3].Value 
   $ProcessName = $e.Properties[4].Value ;
   $Identity =  "$($e.Properties[2].Value)\$($e.Properties[1].Value)"
  8002 {
   $Direction = 'In'
   $TargetName = $env:COMPUTERNAME
   $ProcessID = $e.Properties[0].Value 
   $ProcessName = $e.Properties[1].Value ;
   $Identity =  "$($e.Properties[4].Value)\$($e.Properties[3].Value)"
  default {}
  TargetName = $TargetName
  Direction = $Direction
  ProcessId = $ProcessID
  ProcessName  = $ProcessName
  Identity = $Identity
} | Out-GridView

2 thoughts on “How to audit NTLM?

  1. Hello! So I have enabled this through GPO for a few DC’s. We nolonger needed it do I disabeld the GPO, they are still auditing NTLM though. As far as I could tell, these don’t tattoo the registry. I didnt think I’d need to a separate GPO to turn it off?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.