2025年1月15日 · To find applications that use NTLMv1, enable Logon Success Auditing on the domain controller, and then look for Success auditing Event 4624, which contains information about the version of NTLM. You will receive event logs that resemble the following ones: An account was successfully logged on.

2025年2月12日 · Some users were recently approved for Windows 11 testing so had their workstations upgraded to Windows 11 24H2. This means credential guard is enabled by default and that means the NTLM logs on those endpoints now are useless because NTLM is blocked outright and the 4014 event IDs are empty because no NTLM is allowed to work.

2019年4月4日 · Windows 7 and Windows Server 2008 R2 introduce a long sought feature known as NTLM blocking. This prevents NTLM from being used for authentication. IT works in both a send or receive mode, and allows you to create exceptions.

2023年11月1日 · I recently enabled autiting of NTLM events. I am just trying to understand the output from the security log Microsoft\NTLM logs view. I am seeing multiple events with the same device listed in Secure Channel name with different workstations.

Starting from Version 2.96, Azure ATP sensors parse Windows event 8004 for NTLM authentications. When NTLM auditing is enabled and Windows event 8004 are logged, Azure ATP sensors now automatically read the event and enrich your NTLM authentications activities display with the accessed server data.

2022年11月2日 · Malicious actors routinely use the NTLM authentication protocol to carry out account enumeration and brute force-styled attacks to compromise accounts within a victim’s network. Once inside, an attacker can gain persistence, exfiltrate …

When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

2022年4月14日 · I enabled the “Network Security: Restrict NTLM: Audit NTLM authentication in this domain” and set it to “Enable all.” Then I checked the NTLM operation log on the domain controller. This log is full of the below event. D…

2024年6月27日 · This can be done by auditing the success of authentication events on domain controllers and all member servers. You can direct the successful logon events (ID 4624) to a single computer for easier assessment. The example below provides details for an event identified by ID 4624. Information about NTLM is available in the Package Name section.

2025年3月16日 · While monitoring authentication events in the SOC, I frequently encounter multiple failed (Event ID: 4625) and successful (Event ID: 4624) login attempts associated with NTLM authentication. Upon investigating the affected machine, I found no active NTFS shares or resources being accessed. Despite this, NTLM events continue to appear in the logs.