ATA service account seen using NTLMv1

%3CLINGO-SUB%20id%3D%22lingo-sub-269862%22%20slang%3D%22en-US%22%3EATA%20service%20account%20seen%20using%20NTLMv1%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-269862%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWere%26nbsp%3Bin%20the%20process%20of%20trying%20to%20disable%20NTLMv1%20in%20our%20domain.%20To%20that%20end%20I%20have%20enabled%20NTLM%20logging%20on%20the%20domain%20controllers.%20Specifically%20we've%20set%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EComputer%20Configuration%5CPolicies%5CWindows%20Settings%5CSecurity%20Settings%5CLocal%20Policies%5CSecurity%20Options%3CBR%20%2F%3ESet%20%22Audit%20NTLM%20authentication%20in%20this%20domain%22%20to%20enabled%20for%20all%20domain%20controllers%20to%20have%20visibility%20of%20where%20NTLM%20might%20be%20being%20used.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20result%20of%20that%20Im%20seeing%20NTLMv1%20audit%20events%20that%20appear%20to%20be%20generated%20by%20ATA%20as%20they%20use%20the%20ATA%20service%20account.%20For%20example%20(names%20removed%20for%20privacy)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDomain%20Controller%20Blocked%20Audit%3A%20Audit%20NTLM%20authentication%20to%20this%20domain%20controller.%3CBR%20%2F%3ESecure%20Channel%20name%3A%26nbsp%3B*Win%2010%20Client%20Computer%20Name*%3CBR%20%2F%3EUser%20name%3A%26nbsp%3B*ATA%20Service%20Account*%3CBR%20%2F%3EDomain%20name%3A%26nbsp%3B*Our%20Domain%22%3CBR%20%2F%3EWorkstation%20name%3A%26nbsp%3B*Domain%20Controller*%3CBR%20%2F%3ESecure%20Channel%20type%3A%202%3C%2FP%3E%3CP%3EAudit%20NTLM%20authentication%20requests%20within%20the%20domain%20kclad.ds.kcl.ac.uk%20that%20would%20be%20blocked%20if%20the%20security%20policy%20Network%20Security%3A%20Restrict%20NTLM%3A%20NTLM%20authentication%20in%20this%20domain%20is%20set%20to%20any%20of%20the%20Deny%20options.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20shed%20some%20light%20on%20why%20ATA%20would%20be%20doing%20this%20and%20how%20we%20can%20force%20it%20to%20use%20NTLMv2%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EDavid%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-269862%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eauditing%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENTLM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENTLMv1%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-269895%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20service%20account%20seen%20using%20NTLMv1%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-269895%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Eli%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIve%20had%20a%20look%20and%20confirmed%20the%20Domain%20controller%20policy%20%22Network%20security%3A%20LAN%20Manager%20authentication%20level%22%20is%20set%20to%204%20ie%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ESend%20NTLMv2%20responses%20only.%20Refuse%20LM%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20workstation%20endpoint%20is%20set%20to%205%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ESend%20NTLMv2%20responses%20only.%20Refuse%20LM%20%26amp%3B%20NTLM%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20interesting%20that%20when%20I%20look%20at%20the%20security%20logs%20on%20the%20endpoint%20the%20corresponding%20log%20does%20not%20look%20like%20its%20using%20NTLMv1%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWorkstation%3CBR%20%2F%3EAn%20account%20was%20successfully%20logged%20on.%3C%2FP%3E%3CP%3ESubject%3A%3CBR%20%2F%3ESecurity%20ID%3A%20NULL%20SID%3CBR%20%2F%3EAccount%20Name%3A%20-%3CBR%20%2F%3EAccount%20Domain%3A%20-%3CBR%20%2F%3ELogon%20ID%3A%200x0%3C%2FP%3E%3CP%3ELogon%20Information%3A%3CBR%20%2F%3ELogon%20Type%3A%203%3CBR%20%2F%3ERestricted%20Admin%20Mode%3A%20-%3CBR%20%2F%3EVirtual%20Account%3A%20No%3CBR%20%2F%3EElevated%20Token%3A%20No%3C%2FP%3E%3CP%3EImpersonation%20Level%3A%20Impersonation%3C%2FP%3E%3CP%3ENew%20Logon%3A%3CBR%20%2F%3ESecurity%20ID%3A%20DOMAIN%5Catasvc%3CBR%20%2F%3EAccount%20Name%3A%20atasvc%3CBR%20%2F%3EAccount%20Domain%3A%20DOMAIN%3CBR%20%2F%3ELogon%20ID%3A%200x2DE00E59%3CBR%20%2F%3ELinked%20Logon%20ID%3A%200x0%3CBR%20%2F%3ENetwork%20Account%20Name%3A%20-%3CBR%20%2F%3ENetwork%20Account%20Domain%3A%20-%3CBR%20%2F%3ELogon%20GUID%3A%20%7B00000000-0000-0000-0000-000000000000%7D%3C%2FP%3E%3CP%3EProcess%20Information%3A%3CBR%20%2F%3EProcess%20ID%3A%200x0%3CBR%20%2F%3EProcess%20Name%3A%20-%3C%2FP%3E%3CP%3ENetwork%20Information%3A%3CBR%20%2F%3EWorkstation%20Name%3A%20DOMAINCONTROLLER04%3CBR%20%2F%3ESource%20Network%20Address%3A%20137.1.1.6%3CBR%20%2F%3ESource%20Port%3A%2065141%3C%2FP%3E%3CP%3EDetailed%20Authentication%20Information%3A%3CBR%20%2F%3ELogon%20Process%3A%20NtLmSsp%3CBR%20%2F%3EAuthentication%20Package%3A%20NTLM%3CBR%20%2F%3ETransited%20Services%3A%20-%3CBR%20%2F%3E%3CSTRONG%3EPackage%20Name%20(NTLM%20only)%3A%20NTLM%20V2%3C%2FSTRONG%3E%3CBR%20%2F%3EKey%20Length%3A%20128%3C%2FP%3E%3CP%3EThis%20event%20is%20generated%20when%20a%20logon%20session%20is%20created.%20It%20is%20generated%20on%20the%20computer%20that%20was%20accessed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20heres%20the%20corresponding%20Domain%20Controller%20Log%3A%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EDomain%20Controller%20Blocked%20Audit%3A%20Audit%20NTLM%20authentication%20to%20this%20domain%20controller.%3CBR%20%2F%3ESecure%20Channel%20name%3A%20WORKSTATION%3CBR%20%2F%3EUser%20name%3A%20atasvc%3CBR%20%2F%3EDomain%20name%3A%20fqdn.domain.com%3CBR%20%2F%3EWorkstation%20name%3A%20DOMAINCONTROLLER04%3CBR%20%2F%3ESecure%20Channel%20type%3A%202%3C%2FP%3E%3CP%3EAudit%20NTLM%20authentication%20requests%20within%20the%20domain%20fqdn.domain.com%20that%20would%20be%20blocked%20if%20the%20security%20policy%20Network%20Security%3A%20Restrict%20NTLM%3A%20NTLM%20authentication%20in%20this%20domain%20is%20set%20to%20any%20of%20the%20Deny%20options.%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20allow%20NTLM%20authentication%20requests%20in%20the%20domain%20fqdn.domain.com%2C%20set%20the%20security%20policy%20Network%20Security%3A%20Restrict%20NTLM%3A%20NTLM%20authentication%20in%20this%20domain%20to%20Disabled.%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20allow%20NTLM%20authentication%20requests%20to%20specific%20servers%20in%20the%20domain%20fqdn.domain.com%2C%20set%20the%20security%20policy%20Network%20Security%3A%20Restrict%20NTLM%3A%20NTLM%20authentication%20in%20this%20domain%20to%20Deny%20for%20domain%20servers%20or%20Deny%20domain%20accounts%20to%20domain%20servers%2C%20and%20then%20set%20the%20security%20policy%20Network%20Security%3A%20Restrict%20NTLM%3A%20Add%20server%20exceptions%20in%20this%20domain%20to%20define%20a%20list%20of%20servers%20in%20the%20domain%20fqdn.domain.com%20to%20which%20clients%20are%20allowed%20to%20use%20NTLM%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESeeing%20as%20the%20Domain%20controller%20is%20initiating%20the%20connection%20to%20the%20endpoint%20and%20that%20configured%20to%20send%20NTLMv2%20only%2C%20and%20the%20endpoint%20is%20explicitly%20refusing%20NTLMv1%20I%20cant%20think%20why%20Im%20seeing%20this%20NTLMv1%20logs%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EDavid%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-269868%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20service%20account%20seen%20using%20NTLMv1%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-269868%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20building%20the%20lateral%20movement%20graph%20the%20Gateways%20will%20issue%20a%20SAMR%20request%20to%20the%20endpoint%20IPs%20to%20check%20local%20admins%20members.%20This%20will%20fallback%20to%20NTLM%20as%20you%20can't%20authenticate%20using%20kerberos%20to%20an%20IP%20endpoint.%3C%2FP%3E%0A%3CP%3EWe%20are%20using%20negotiate%2C%20so%20if%20it%20falls%20down%20all%20the%20way%20to%20NTLMv1%20most%20likely%20it's%20a%20policy%20defenition%20you%20have%20that%20causes%20that...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi All,

 

Were in the process of trying to disable NTLMv1 in our domain. To that end I have enabled NTLM logging on the domain controllers. Specifically we've set:

 

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Set "Audit NTLM authentication in this domain" to enabled for all domain controllers to have visibility of where NTLM might be being used. 

 

As a result of that Im seeing NTLMv1 audit events that appear to be generated by ATA as they use the ATA service account. For example (names removed for privacy):

 

 

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: *Win 10 Client Computer Name*
User name: *ATA Service Account*
Domain name: *Our Domain"
Workstation name: *Domain Controller*
Secure Channel type: 2

Audit NTLM authentication requests within the domain kclad.ds.kcl.ac.uk that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

 

 

Can anyone shed some light on why ATA would be doing this and how we can force it to use NTLMv2?

 

 

Regards

David

2 Replies
Highlighted

When building the lateral movement graph the Gateways will issue a SAMR request to the endpoint IPs to check local admins members. This will fallback to NTLM as you can't authenticate using kerberos to an IP endpoint.

We are using negotiate, so if it falls down all the way to NTLMv1 most likely it's a policy defenition you have that causes that...

Highlighted

Thanks Eli,

 

Ive had a look and confirmed the Domain controller policy "Network security: LAN Manager authentication level" is set to 4 ie 

  • Send NTLMv2 responses only. Refuse LM

The workstation endpoint is set to 5 

  • Send NTLMv2 responses only. Refuse LM & NTLM

 

Its interesting that when I look at the security logs on the endpoint the corresponding log does not look like its using NTLMv1:

 

Workstation
An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No

Impersonation Level: Impersonation

New Logon:
Security ID: DOMAIN\atasvc
Account Name: atasvc
Account Domain: DOMAIN
Logon ID: 0x2DE00E59
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: DOMAINCONTROLLER04
Source Network Address: 137.1.1.6
Source Port: 65141

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

 

 

And heres the corresponding Domain Controller Log:


Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: WORKSTATION
User name: atasvc
Domain name: fqdn.domain.com
Workstation name: DOMAINCONTROLLER04
Secure Channel type: 2

Audit NTLM authentication requests within the domain fqdn.domain.com that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain fqdn.domain.com, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain fqdn.domain.com, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain fqdn.domain.com to which clients are allowed to use NTLM authentication.

 

 

Seeing as the Domain controller is initiating the connection to the endpoint and that configured to send NTLMv2 only, and the endpoint is explicitly refusing NTLMv1 I cant think why Im seeing this NTLMv1 logs 

 

Regards

David