Skip to content

Commit 92c75dc

Browse files
stefansecstefansec
authored
Add files via upload
1 parent 3eb0ad7 commit 92c75dc

File tree

2 files changed

+81
-0
lines changed

2 files changed

+81
-0
lines changed

queries/detect_ntlmv1_authentications.yml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
# --- Query Metadata ---
2+
# Human-readable name for the query. Will be displayed as the title.
3+
name: Detect NTLMv1 Authentications
4+
5+
# Description of what the query does and its purpose.
6+
# Using the YAML block scalar `|` allows for multi-line strings.
7+
description: |
8+
This query detects NTLM v1 authentications using Falcon ITP telemetry.
9+
[Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables?linkId=38338466&hl=en)
10+
11+
# The author or team that created the query.
12+
author: ByteRay GmbH
13+
14+
# The required log sources to run this query successfully in Next-Gen SIEM.
15+
# This will be displayed in the UI to inform the user.
16+
log_sources:
17+
- Identity
18+
19+
# The CrowdStrike modules required to run this query.
20+
cs_required_modules:
21+
- Identity
22+
23+
# Tags for filtering and categorization.
24+
# Include relevant techniques, tactics, or platforms.
25+
tags:
26+
- Hunting
27+
28+
# --- Query Content ---
29+
# The actual CrowdStrike Query Language (CQL) code.
30+
# Using the YAML block scalar `|` allows for multi-line strings.
31+
cql: |
32+
#event.dataset="falcon.identity"
33+
| network.protocol="ntlm_v1"
34+
| groupBy([SourceAccountUserName, host.hostname, TargetServerHostName])
35+

queries/detect_ntlmv1_authentications__windows_event_logs_.yml

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
# --- Query Metadata ---
2+
# Human-readable name for the query. Will be displayed as the title.
3+
name: Detect NTLMv1 Authentications (Windows Event Logs)
4+
5+
# Description of what the query does and its purpose.
6+
# Using the YAML block scalar `|` allows for multi-line strings.
7+
description: |
8+
This query detects NTLM v1 authentications using Windows Event Log telemetry.
9+
[Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables?linkId=38338466&hl=en)
10+
11+
# The author or team that created the query.
12+
author: ByteRay GmbH
13+
14+
# The required log sources to run this query successfully in Next-Gen SIEM.
15+
# This will be displayed in the UI to inform the user.
16+
log_sources:
17+
- Endpoint
18+
19+
# The CrowdStrike modules required to run this query.
20+
cs_required_modules:
21+
- Insight
22+
23+
# Tags for filtering and categorization.
24+
# Include relevant techniques, tactics, or platforms.
25+
tags:
26+
- Hunting
27+
28+
# --- Query Content ---
29+
# The actual CrowdStrike Query Language (CQL) code.
30+
# Using the YAML block scalar `|` allows for multi-line strings.
31+
cql: |
32+
| windows.EventData.AuthenticationPackageName=NTLM
33+
| windows.EventData.LmPackageName!= "NTLM V2"
34+
| groupBy([windows.EventData.WorkstationName, user.target.name, windows.EventData.KeyLength])
35+
| rename(field="windows.EventData.WorkstationName", as="Hostname")
36+
| rename(field="user.target.name", as="Username")
37+
| rename(field="windows.EventData.KeyLength", as="KeyLength")
38+
| sort(field=KeyLength,type=number,order=desc)
39+
| case{
40+
KeyLength = 128
41+
| SSP := "Yes";
42+
in(field="KeyLength", values=[0,40,56])
43+
| SSP := "No"
44+
}
45+
| table([Hostname,Username,KeyLength,SSP])
46+

0 commit comments

Comments
 (0)