Forum Discussion
Enriched NTLM authentication data using Windows Event 8004
Have you previously experienced NTLM authentications activities that came from unknown devices, such as Workstation or MSTSC? Would you like to discover the actual server being accessed inside the network? This information is now available in Azure ATP!
Starting from Version 2.96, Azure ATP sensors parse Windows event 8004 for NTLM authentications. When NTLM auditing is enabled and Windows event 8004 are logged, Azure ATP sensors now automatically read the event and enrich your NTLM authentications activities display with the accessed server data.
New Resource Access over NTLM activity is now available, showing the source user, source device and the accessed resource:
Joye Parsons (1) is accessing CLIENT2 from W10-000100 device over NTLM.
Enriched Failed log on activities providing the destination computer the user attempted, but failed to access:
Joye Parsons (1) failing to log on to CLIENT2 from W10-000100 device over NTLM.
In a future release, this data will also be available directly in authentication based Azure ATP security alerts such as Brute Force and Account Enumeration.
Stay tuned for more updates. As always, your feedback and questions are welcome!
- truekonradsBrass Contributor
Tali Ashhi - we enabled NTLM auditing however no 8004 events are generated despite 4776s being generated. We verified that NTLM auditing is enabled using gpresult.
Any tips to debug?
- LoicMichelCopper ContributorHi, did you ever find a solution to events 8004 not being generated? I'm in the same situation.
Regards
Loic- Andy LoyCopper Contributor
Hi can I just add an additional question to this if I may....
Is there any pre-considerations around enabling for eventid 8004 on live DC's?
Such as:
1. Potential volume of event logs and potential knock on - local event ID file size/frequency of log overwrites?
2. DC local performance concerns once enabled?
3. If using other complementary log forwarding solution (e.g. ATP Defender for Server) - knock on log volume ingestation to Log Analytics/Sentinel.
Thanks in advance
Andy
- SymEyalCopper Contributor
Hi Tali!
It seems like event id 8004 is generated on the domain controller only when requesting NTLM auth, along with a valid domain name of that DC.
When supplying an empty domain name, local, or a different one, it's not generating that event.
When attackers often use Password-Spray attacks, they tend to not use a proper domain name.Thanks,
Eyal Neemany. - Christopher CamposCopper ContributorHi, where i configure this "NTLM authentication using Windows Event 8004" in domain controller or in the defender for identity standalone?. I have a implementation where i use defender for identity standalone with port mirroring. Thanks!