Think you have a false positive on this rule?

Sid 1-50721

Message

OS-WINDOWS Microsoft Windows malformed NTLMv2 authentication message attempt

Summary

This event is generated when there is an authentication bypass attempt via NTLMv2 relay attack.

Impact

Attempted User Privilege Gain

Detailed information

Event is triggered upon a malicious NTLMv2 Challenge sent from a proxy to a client machine in an attempt to steal a valid session key. This will allow the relayer to use the stolen session key to recalculate MIC and authenticate to the target server.

Affected systems

Ease of attack

False positives

False negatives

Corrective action

Limit NTLMv2 use and disable NTLMv1.

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-1019
  • portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1019