OS-WINDOWS Microsoft Windows malformed NTLMv2 authentication message attempt
This event is generated when there is an authentication bypass attempt via NTLMv2 relay attack.
Attempted User Privilege Gain
Event is triggered upon a malicious NTLMv2 Challenge sent from a proxy to a client machine in an attempt to steal a valid session key. This will allow the relayer to use the stolen session key to recalculate MIC and authenticate to the target server.
Ease of attack
Limit NTLMv2 use and disable NTLMv1.
- Cisco Talos Intelligence Group