Forum Discussion

Tali Ash's avatar
Tali Ash
Iron Contributor
Sep 24, 2019

Enriched NTLM authentication data using Windows Event 8004

Have you previously experienced NTLM authentications activities that came from unknown devices, such as Workstation or MSTSC? Would you like to discover the actual server being accessed inside the ne...
SymEyal's avatar
SymEyal
Copper Contributor
Feb 16, 2020

Tali Ash 

Hi Tali!
It seems like event id 8004 is generated on the domain controller only when requesting NTLM auth, along with a valid domain name of that DC.
When supplying an empty domain name, local, or a different one, it's not generating that event.
When attackers often use Password-Spray attacks, they tend to not use a proper domain name.

 

Thanks,
Eyal Neemany.

Tali Ash's avatar
Tali Ash
Iron Contributor
Feb 16, 2020

Hi SymEyal ,

 

In case there is no domain, the authentication won't get to the DC, it will be local.

Azure ATP does not have visibility to local authentications, as it sits on the DCs.

 

So Azure ATP has visibility only to authentications in the domain.

 

Thanks,

Tali

  • SymEyal's avatar
    SymEyal
    Copper Contributor
    Feb 16, 2020

    Tali Ash 
    Thanks for the fast response.
    I just realized that only when the domain name is null when performing NTLM auth, event 8004 is generated along with the 4776 on the DC (and of course when the domain name is valid).

     

    Thanks,
    Eyal.

     

     

     

     

     

Resources