Hello,
I was wondering if someone could help me to better inderstand the following alert.
I have an alert of successfully accessed for the first time using ntlmssp. The log of the alert states that the “service” was used: “ntlmssp” with event code 4624. I’ve done some research online and I still can’t figure out what was the user’s action to generate this alert. I wanted to better understand what ntlmssp is and what was the user’s action to generate this alert.
Thank you.
Hey @paulo_silva,
NTLMSSP (NT LAN Manager Security Support Provider) is a security support provider that is available on all versions of DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol for authentication.
That being said, I would take a look at the log’s logon_type keyword and see what that states, whether it’s NETWORK, REMOTE, etc. That will give you a better understanding of what type of authentication has happened or was attempted.
Hey @SDavis,
Thank you very much for your help.
In this case the log contains the following information: “logon_type”: “NETWORK”, “result”: “SUCCESS”, “service”: “ntlmssp”, “eventCode”: 4624.
I would like to know if through the log I collected from the alert I can better understand how the user did the access/authentication.
I would like to understand if the user did Runas, PowerShell, Remote Desktop, etc, to access this restricted machine. Or how the authentication is done using ntlmssp.
Thank you very much.
Paulo,
I had a similar question.
Were you able to find out more details on what’s the background on it and what type of activity is considered malicious?
Hi, In a situation whereby there are several failed authentication and the logon_type is NETWORK. What could this suggest please.
Regards.