How to audit NTLM?

I’ve seen the following blog post last week about Stop using LAN Manager and NTLMv1!

The first step proposed that sounds reasonable and wise is to audit event ID 4624.
Here’s one way to do it:

$c =  Get-Credential 
$xml = @'
<QueryList>
 <Query Id="0" Path="security">
  <Select Path="security">
   *[System[(EventID=4624)]]
    and
    (
     *[EventData[Data[@Name='AuthenticationPackageName']!='Kerberos']]
     and
     *[EventData[Data[@Name='LmPackageName']!='NTLM V2']]
   )
  </Select>
 </Query>
</QueryList>
'@
(Get-ADDomainController  -Filter *).HostName | 
Where { $_ -notin @('dc1.fqdn','dc3.fqdn') } | 
ForEach-Object {
 Get-WinEvent -ComputerName $_ -FilterXml $xml  -ErrorAction SilentlyContinue -Credential $c | # -MaxEvents 1
 ForEach-Object {
  $h = @{}
  ([xml]$_.Toxml()).Event.EventData.Data | 
  ForEach-Object {
   $h.Add($_.'Name',$_.'#text')            
  }
  [PSCustomObject]$h
 }
} | Out-GridView

The above example shows how to audit 4624 events on domain controllers but you can also audit 4624 events on any computer.

What else could be done to audit NTLM?
You can also enable specific NTLM auditing on every computer using group policies.
By default, it’s empty and off.

But once you’ve activated these 3 settings:

You can also activate these settings using the following registry modifications:


# Audit NTLM Authentication in this domain: Enable all
$HT = @{ Path = 'HKLM:\SYSTEM\CurrentControlSet\services\Netlogon\Parameters' }
Set-ItemProperty @HT -Name AuditNTLMInDomain -Value 7

# Audit incoming NTLM traffic: Enable auditing for all accounts
$HT = @{ Path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' }
Set-ItemProperty @HT -Name AuditReceivingNTLMTraffic -Value 2

# Restrict NTLM: Outgoing NTLM traffic to remote servers: Audit All
$HT = @{ Path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' }
Set-ItemProperty @HT -Name RestrictSendingNTLMTraffic -Value 1

To list what events will be logged you can do:

(Get-WinEvent -ListProvider Microsoft-Windows-NTLM).Events | 
Select Id,Description | 
Out-GridView

When auditing is enabled, we should look at 8001,8002 and 8003 events.
Here’s how to have a quick overview of both 8001 and 8002 events combined:

# NTLM client blocked audit: 
# Audit outgoing NTLM authentication traffic that would be blocked.
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-NTLM/Operational' ; Id = 8001,8002 } |
ForEach-Object {
 $e = $_
 switch ($e.Id) {
  8001 {
   $Direction = 'Out'
   $TargetName = $e.Properties[0].Value ;
   $ProcessID = $e.Properties[3].Value 
   $ProcessName = $e.Properties[4].Value ;
   $Identity =  "$($e.Properties[2].Value)\$($e.Properties[1].Value)"
   break
  }
  8002 {
   $Direction = 'In'
   $TargetName = $env:COMPUTERNAME
   $ProcessID = $e.Properties[0].Value 
   $ProcessName = $e.Properties[1].Value ;
   $Identity =  "$($e.Properties[4].Value)\$($e.Properties[3].Value)"
  }
  default {}
 }
 [PSCustomObject]@{ 
  TargetName = $TargetName
  Direction = $Direction
  ProcessId = $ProcessID
  ProcessName  = $ProcessName
  Identity = $Identity
 }
} | Out-GridView
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s