MicrosoftGreat Article Jerry! This has always been something I'd like to consider doing but it always seems like a monumental task! If I could get all domain controllers from level 4 to level 5 I feel that could provide some benefits, but it seems that has to be the "last switch". Two quick questions I've had some internal debates with others around this.
1) I was reviewing this article below and they indicate to exclude Anonymous requests when looking through the events, is that really valid?
https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/windows-server/windows-security/audit-domain-controller-ntlmv1.md#ntlm-auditing
2) is it absolutely necessary to evaluate all events from end points? If ONLY security logs from domain controllers are being collected is there any way to successfully audit where NTLM v1 is being used?
Would a query such as the one below where ONLY DC logs existed be accurate? I feel that doesn't capture any client/server NTLM V1 connections from domain joined systems. (This was the internal debate I was having with someone)
EventCode=4624 Package_Name__NTLM_only_="NTLM V1" NOT Account_Name="*ANONYMOUS LOGON*"
