DumpGuard NTLM challenge detected
Detect Dump Guard Ntlm Challenge
Query
DeviceNetworkEvents
// Get NTLM Challenges
| where ActionType == "NetworkSignatureInspected"
| where tostring(todynamic(AdditionalFields).SignatureName) =~ "NTLM-Challenge"
// Extract the NTLM Sample Packet
| extend SamplePacketContent = extract('\\["(.+)"\\]', 1, tostring(todynamic(AdditionalFields).SamplePacketContent))
// Remove % values, since the '1122334455667788' is easy to find without conversions
| extend NewSamplePacketContent = strcat_array(split(SamplePacketContent, "%"), "")
| where NewSamplePacketContent contains "1122334455667788"About this query
Explanation
This query is designed to detect a specific type of security threat involving the DumpGuard tool, which attackers use to bypass Credential Guard on devices. Here's a simplified breakdown of what the query does:
-
Data Source: It looks at network events on devices, specifically those events where network signatures are inspected.
-
Filter for NTLM Challenges: The query filters these events to find those related to NTLM challenges, a type of authentication process.
-
Extract Packet Content: It extracts the content of the NTLM sample packet from the event data.
-
Remove Encoding: The query removes any percentage encoding from the packet content to make it easier to analyze.
-
Detect Hard-Coded Value: It checks if the packet content contains a specific hard-coded value ("1122334455667788") known to be used by the DumpGuard tool.
The purpose of this query is to identify potential misuse of the DumpGuard tool, which can be used to dump credentials even when Credential Guard is enabled. However, the detection relies on a static indicator (the hard-coded value), which can be easily changed by attackers, making this detection method less reliable. Nonetheless, if this specific pattern is detected, it is a strong indicator of a true positive security threat.
