logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Check for weak authentication types (LM/NTLM)

Status: Approved Submitted by on ‎08-06-2019 09:24 PM

Description: Query looks for machines using weak authentication types LM/NTLM which use weak encryption algorithms that are almost as similar to sending passwords in plain text. NTLM is also old and vulnerable to relay attacks. Ensuring all devices only use NTLMv2 or higher and refuse LM/NTLM is absolutely necessary, anything below it is a critical security concern and should be re-mediated as soon as possible.  
What The Data Shows: Provides the registry value of all devices, the compatibility reg key which value should always be 5.
 
EDIT: updated the query to only show devices that do not have the "lmcompatibility" reg key value equal to 5 since we are only concerned about devices that allow LM/NTLM).
SQL:

SELECT

CASE COUNT(*)

WHEN 0 THEN "FALSE"

ELSE "TRUE"

END "NTLMv2 Only Enabled"

FROM registry

WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel'

AND data != 5;
Tags (3)
Comment
4 Comments
jnelson
Carbon Black Employee
‎08-06-2019 10:47 PM
‎08-06-2019 10:47 PM
Status changed to: Under Review

@mjomha according to https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960646(v=tec... the name of the key is LMCompatibilityLevel. Additionally, the key is not there by default so this query would return a false negative if it is not present. Would you consider the following to give a definite answer whether the key is there or not:

SELECT
    CASE COUNT(*)
        WHEN 0 THEN "FALSE"
        ELSE "TRUE"
    END "NTLMv2 Only Enabled"
FROM registry
WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel'
    AND data != 5;
mjomha
Contributor
‎08-06-2019 11:14 PM
‎08-06-2019 11:14 PM

@jnelson 

 

Thanks for noticing, I should avoid playing with queries late night 🙂.

 

You are correct I missed the full regkey value in my query. I based this query on our environment. We use Microsoft’s GPO security baseline with some of our hardened policies so I was taking into consideration other organizations running this query would be using it or something similar (CIS, NIST...etc baselines) which of course have this reg key and value in their baseline. If organizations do not have this reg key set to 5 it would fire off on all devices which is an easy remediation (New GPO applied to all devices on a domain. My aim was to determine if some machines were not applying the policy in which a sysadmin/security analyst could check the machines in question and troubleshoot why the policy isn’t being applied to it. I have a habit of always using baselines so I was under the assumption that the regkey existed already as I have yet to see a machine without (must be a good thing 🙂).

 

But your modification does make a lot of sense, appreciate the help!

 

Updated the query. Thanks!!

jnelson
Carbon Black Employee
‎08-07-2019 06:49 AM
‎08-07-2019 06:49 AM
Status changed to: Approved

Thanks for the great explanation!

jnelson
Carbon Black Employee
‎01-10-2022 02:59 PM
‎01-10-2022 02:59 PM

@mjomha I was playing around with this query and wanted to make the response a little more definitive. Here is what I came up with:

select

  case

    when data = '5' then 'TRUE'

    when count(*) = 0 then 'FALSE'

    else 'FALSE'

  end 'NTLMv2 Only Enabled',

  case

    when data = '0' then 'Send LM & NTLM responses ONLY'

    when data = '1' then 'Send LM & NTLM – use NTLMv2 session security if negotiated'

    when data = '2' then 'Send NTLM response only'

    when data = '3' then 'Send NTLMv2 response only. LM, NTLM, and NTLMv2 authentication still accepted'

    when data = '4' then 'Send NTLMv2 response only. Refuse LM'

    when count(*) = 0 then 'Registry key does not exist'

    else 'N/A'

   end 'details'

from registry

where path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel';
logo