title: NTLMv1 Logon Between Client and Server
id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
status: experimental
description: Detects the reporting of NTLMv1 being used between a client and server
author: Tim Shelton
date: 2022/04/26
modified: 2022/05/02
references:
    - https://attack.mitre.org/techniques/T1550/002/
tags:
    - attack.execution
    - attack.t1550.002
    - attack.s0363
fields:
    - EventID
    - Provider_Name
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: "LsaSrv"
        EventID: 6038
    condition: selection
falsepositives:
    - Environments that use NTLMv1
level: low