Skip to content

fix: FPs with NetNTLM downgrade attack #5108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Dec 3, 2024
Merged

fix: FPs with NetNTLM downgrade attack #5108

merged 6 commits into from
Dec 3, 2024

Conversation

@Neo23x0
Copy link
Collaborator

@Neo23x0 Neo23x0 commented Dec 3, 2024
edited
Loading

Summary of the Pull Request

False positives with values and security upgrades

Changelog

fix: false positives with NetNTLM Downgrade Attack

Example Log Event

We see this in Sysmon events:

TargetObject: HKLM\\System\\CurrentControlSet\\Control\\Lsa\\lmcompatibilitylevel Details: DWORD (0x00000005)
Screenshot 2024-12-03 at 15 39 36

I think we can fix this by providing the problematic values: 0, 1, 2

But, we also see this:

Image: C:\WINDOWS\system32\services.exe TargetObject: HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\ntlmminclientsec Details: DWORD (0x20080000)

So, the value for this key is much harder to handle. I currently don't know how.

Options:

  • Exclude the ntlmminclientsec value from the selection
  • Add a false positive note

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Dec 3, 2024
@Neo23x0 Neo23x0 added the Work In Progress Some changes are needed label Dec 3, 2024
@nasbench nasbench removed the Work In Progress Some changes are needed label Dec 3, 2024
nasbench
nasbench approved these changes Dec 3, 2024
View reviewed changes
Copy link
Member

@nasbench nasbench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made the necessary changes to tune this. Explanation is given in the comment.

@nasbench nasbench merged commit 6fd57da into master Dec 3, 2024
23 checks passed
@nasbench nasbench deleted the fix-ntlm-downgrade branch December 3, 2024 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench approved these changes

Assignees

No one assigned

Labels

Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Neo23x0 @nasbench