Forum Discussion
ATA service account seen using NTLMv1
When building the lateral movement graph the Gateways will issue a SAMR request to the endpoint IPs to check local admins members. This will fallback to NTLM as you can't authenticate using kerberos to an IP endpoint.
We are using negotiate, so if it falls down all the way to NTLMv1 most likely it's a policy defenition you have that causes that...
- David McAllisterOct 11, 2018Copper Contributor
Thanks Eli,
Ive had a look and confirmed the Domain controller policy "Network security: LAN Manager authentication level" is set to 4 ie
- Send NTLMv2 responses only. Refuse LM
The workstation endpoint is set to 5
- Send NTLMv2 responses only. Refuse LM & NTLM
Its interesting that when I look at the security logs on the endpoint the corresponding log does not look like its using NTLMv1:
Workstation
An account was successfully logged on.Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: NoImpersonation Level: Impersonation
New Logon:
Security ID: DOMAIN\atasvc
Account Name: atasvc
Account Domain: DOMAIN
Logon ID: 0x2DE00E59
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}Process Information:
Process ID: 0x0
Process Name: -Network Information:
Workstation Name: DOMAINCONTROLLER04
Source Network Address: 137.1.1.6
Source Port: 65141Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128This event is generated when a logon session is created. It is generated on the computer that was accessed.
And heres the corresponding Domain Controller Log:
Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: WORKSTATION
User name: atasvc
Domain name: fqdn.domain.com
Workstation name: DOMAINCONTROLLER04
Secure Channel type: 2Audit NTLM authentication requests within the domain fqdn.domain.com that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.
If you want to allow NTLM authentication requests in the domain fqdn.domain.com, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.
If you want to allow NTLM authentication requests to specific servers in the domain fqdn.domain.com, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain fqdn.domain.com to which clients are allowed to use NTLM authentication.
Seeing as the Domain controller is initiating the connection to the endpoint and that configured to send NTLMv2 only, and the endpoint is explicitly refusing NTLMv1 I cant think why Im seeing this NTLMv1 logs
Regards
David