Audit NTLM using Azure Sentinel – part 1
This time we are going to take a closer look at NTLM usage. Most likely, you have seen the news about the #PetitPotam and the attack scenarios around Active Directory Certificate Services.
One of the recommendations from Microsoft is to disable the NTLM in your environment, but we all know that it may be tough to achieve that. Secondly, there isn’t a good approach from Microsoft how to get rid of it. Reading the event log’s from servers using PowerShell does not sound that good. We need something better than that.
So the first step towards getting rid of NTLM is to get visibility from your environment.
What do you need?
- Log Analytics workspace
- Azure Sentinel
NTLM Auditing
Before we are going to add extra log collection in the Log Analytics workspace, we need to enable three audit policies in our environment:
- Network security: Restrict NTLM: Audit NTLM authentication in this domain
- Only for domain controllers
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
- Network security: Restrict NTLM: Audit Incoming NTLM Traffic
PS! We are only going to set these policies into audit mode. We are not going to disable anything. You need to create two different Group Policy Objects – one for domain controllers and another for other servers.
Group Policies
Create the following policies for domain controllers and servers
Domain Controllers
- Create a new Group Policy Object, for example “DC NTLM Auditing“
- Open the new created Group Policy Object
- Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
- Open the Network security: Restrict NTLM: Audit NTLM authentication in this domain policy
- Set the policy value to “Enable All“
- Link the policy
Now we have the domain controllers policy, and in our second policy, we enable two different audit policies
- Create a new Group Policy Object, for example “NTLM Auditing Other Servers“
- Open the new created Group Policy Object
- Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
- Open the Network security: Restrict NTLM: Audit Incoming NTLM Traffic policy
- Set the policy value to “Enable auditing for all accounts“
- Open the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy
- Set the policy value to “Audit all“
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
- Link the policy
Wait for the replication and verify the logs. On your servers, you should log entries under the Event Logs\Application and Services Logs\Microsoft\Windows\NTLM\Operational log file. You can also use the Powershell Get-WinEvent cmdlet
- Get-WinEvent -LogName “Microsoft-Windows-NTLM/Operational”
The next step is to enable log collection on your Log Analytics workspace
Log Analytics workspace configuration
- Open azure.com
- Browse your Log Analytics workspace
- Under the Log Analytics workspace, choose “Agent Configuration“
- Click + Add Windows Event Log
- Enter “Microsoft-Windows-NTLM/Operational“
- Click Apply
Now we need to wait for the policy synchronization and then check the logs using the following KQL query
- Event | where EventLog == “Microsoft-Windows-NTLM/Operational”
If you see the log entries on your workspace, then you have successfully configured the auditing part.
Now we need to wait and collect logs. After that, we can start analyzing the data and see what we can do or not.
Stay tuned, and we will come back for part 2.