KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Dump Guard Ntlm Challenge

Query

# *DumpGuard NTLM challenge detected*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1003.004 | OS Credential Dumping: LSA Secrets | https://attack.mitre.org/techniques/T1003/004/ |
| T1003 | OS Credential Dumping | https://attack.mitre.org/techniques/T1003/ |

#### Description
With the DumpGuard tool, attackers are able to dump credetials via Remote Credential Guard on devices that have Credential Guard enabled. The creator of the DumpGuard tool purposely used a hard-coded NTLMv1 challenge into the tool, for easy detection. 

> [!WARNING]
> Since the detection relies on a static IOC that can easily be changed in the source code, this detection has a low confidence score since it can be easily bypassed. However, if the detection hits it is almost 100% certain the alert will be TP.
> Also take into account that the `NetworkSignatureInspected` ActionType in MDE is sampled, which means not very event will be logged. 

#### Risk
This detection tries to mitigate the risk of attackers bypassing Credential Guard on devices by using the DumpGuard tool. 

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://specterops.io/blog/2025/10/23/catching-credential-guard-off-guard/

## Defender XDR
```KQL
DeviceNetworkEvents
// Get NTLM Challenges
| where ActionType == "NetworkSignatureInspected"
| where tostring(todynamic(AdditionalFields).SignatureName) =~ "NTLM-Challenge"
// Extract the NTLM Sample Packet
| extend SamplePacketContent = extract('\\["(.+)"\\]', 1, tostring(todynamic(AdditionalFields).SamplePacketContent))
// Remove % values, since the '1122334455667788' is easy to find without conversions
| extend NewSamplePacketContent = strcat_array(split(SamplePacketContent, "%"), "")
| where NewSamplePacketContent contains "1122334455667788"
```

Explanation

This query is designed to detect a specific type of security threat involving the DumpGuard tool, which attackers use to bypass Credential Guard on devices. Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at network events on devices, specifically those events where network signatures are inspected.

  2. Filter for NTLM Challenges: The query filters these events to find those related to NTLM challenges, a type of authentication process.

  3. Extract Packet Content: It extracts the content of the NTLM sample packet from the event data.

  4. Remove Encoding: The query removes any percentage encoding from the packet content to make it easier to analyze.

  5. Detect Hard-Coded Value: It checks if the packet content contains a specific hard-coded value ("1122334455667788") known to be used by the DumpGuard tool.

The purpose of this query is to identify potential misuse of the DumpGuard tool, which can be used to dump credentials even when Credential Guard is enabled. However, the detection relies on a static indicator (the hard-coded value), which can be easily changed by attackers, making this detection method less reliable. Nonetheless, if this specific pattern is detected, it is a strong indicator of a true positive security threat.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: October 24, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsAdditionalFieldsSignatureNameSamplePacketContent

Operators

DeviceNetworkEvents|where==tostringtodynamic=~extendextract1strcat_arraysplitcontains

Actions