What is ntlmssp

Hello,
I was wondering if someone could help me to better inderstand the following alert.
I have an alert of successfully accessed for the first time using ntlmssp. The log of the alert states that the “service” was used: “ntlmssp” with event code 4624. I’ve done some research online and I still can’t figure out what was the user’s action to generate this alert. I wanted to better understand what ntlmssp is and what was the user’s action to generate this alert.

Thank you.

Hey @paulo_silva,

NTLMSSP (NT LAN Manager Security Support Provider) is a security support provider that is available on all versions of DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol for authentication.

That being said, I would take a look at the log’s logon_type keyword and see what that states, whether it’s NETWORK, REMOTE, etc. That will give you a better understanding of what type of authentication has happened or was attempted.

Hey @SDavis,
Thank you very much for your help.

In this case the log contains the following information: “logon_type”: “NETWORK”, “result”: “SUCCESS”, “service”: “ntlmssp”, “eventCode”: 4624.
I would like to know if through the log I collected from the alert I can better understand how the user did the access/authentication.

I would like to understand if the user did Runas, PowerShell, Remote Desktop, etc, to access this restricted machine. Or how the authentication is done using ntlmssp.

Thank you very much.