title: NTLM Logon
author: Florian Roth
date: 2018/06/08
description: Detects logons using NTLM, which could be caused by a legacy source or
    attackers
detection:
    SELECTION_1:
        EventID: 8002
    SELECTION_2:
        CallingProcessName: '*'
    condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legacy hosts
id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
level: low
logsource:
    definition: Requires events from Microsoft-Windows-NTLM/Operational
    product: windows
    service: ntlm
references:
- https://twitter.com/JohnLaTwC/status/1004895028995477505
- https://goo.gl/PsqrhT
status: experimental
tags:
- attack.lateral_movement
- attack.t1075
- attack.t1550.002
yml_filename: win_susp_ntlm_auth.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin