From b48b6ca96ae2d0dc556725150d311c226bf9380b Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 3 Dec 2024 22:38:04 +0100
Subject: [PATCH] Update registry_event_net_ntlm_downgrade.yml

---
 .../registry_event_net_ntlm_downgrade.yml     | 31 ++++++++++++-------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
index 824a735dfc1..3a92db07883 100644
--- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
+++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
@@ -4,7 +4,8 @@ status: test
 description: Detects NetNTLM downgrade attack
 references:
     - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
-author: Florian Roth (Nextron Systems), wagga
+    - https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers
+author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)
 date: 2018-03-20
 modified: 2024-12-03
 tags:
@@ -15,22 +16,30 @@ logsource:
     product: windows
     category: registry_event
 detection:
-    selection:
+    selection_regkey:
         TargetObject|contains|all:
             - 'SYSTEM\'
             - 'ControlSet'
             - '\Control\Lsa'
-    selection_lmcompatibilitylevel:
+    selection_value_lmcompatibilitylevel:
         TargetObject|endswith: '\lmcompatibilitylevel'
         Details:
-            - 0
-            - 1
-            - 2
-    selection_ntlmminclientsec:
-        TargetObject|endswith:
-            - '\NtlmMinClientSec'
-            - '\RestrictSendingNTLMTraffic'
-    condition: selection and 1 of selection_*
+            - 'DWORD (0x00000000)'
+            - 'DWORD (0x00000001)'
+            - 'DWORD (0x00000002)'
+    selection_value_ntlmminclientsec:
+        TargetObject|endswith: '\NtlmMinClientSec'
+        Details:
+            - 'DWORD (0x00000000)' # No Security
+            - 'DWORD (0x00000010)' # Only Integrity
+            - 'DWORD (0x00000020)' # Only confidentiality
+            - 'DWORD (0x00000020)' # Both Integrity and confidentiality
+    selection_value_ntlmminclientsec:
+        # Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit).
+        # 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured
+        # Hence all values should be monitored and investigated
+        TargetObject|endswith: '\RestrictSendingNTLMTraffic'
+    condition: selection_regkey and 1 of selection_value_*
 falsepositives:
     - Services or tools that set the values to more restrictive values
 level: high