NTLM Auditing - Event logs

Question

NTLM Auditing - Event logs

Bob Pants 261

I recently enabled autiting of NTLM events. I am just trying to understand the output from the security log Microsoft\NTLM logs view.

I am seeing multiple events with the same device listed in Secure Channel name with different workstations.

Which is the item I need to be concerned about? the S-Channel or Workstation?

The event looks something like this. So, I might have 50 events from the same S-Channel name but differing workstation names

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.

Secure Channel name: Server-1

User name: Bob

Domain name: Mydomain

Workstation name: Server-2

Secure Channel type: 2

Audit NTLM authentication requests within the domain mydomain that would be blocked if..

I've tried a couple of different PS scripts I found online to interrogate these logs, neither work. one only lists the same S-Channel name in every item the other returns nothing.

example: (lists the same entry repeatdly)
$Events = Get-WinEvent -Logname security -FilterXPath "Event[System[(EventID=4624)]]and Event[EventData[Data[@Name='LmPackageName']='NTLM V1']]" | Select-Object `

@{Label='Time';Expression={$_.TimeCreated.ToString('g')}},

@{Label='UserName';Expression={$_.Properties[5].Value}},

@{Label='WorkstationName';Expression={$_.Properties[11].Value}},

@{Label='LogonType';Expression={$_.properties[8].value}},

@{Label='ImpersonationLevel';Expression={$_.properties[20].value}}

$Events | Out-GridView

Bob Pants 261 Reputation points

2023-11-08T03:41:09.0466667+00:00

I just can't make any sense of these logs. After enabling NTLM audit via GP using this document - https://woshub.com/disable-ntlm-authentication-windows/

After doing this, there is a new log created under Application and Service logs - NTLM/Operational which contains eventid 8006's. The issue is, these events contain many devies that do not appear at all in the 4624 events in the security log, so IDK which ones I am meant to be concerned about

The 8006 id also contains both a "Secure Channel Name" and a "Workstation" name, often are different devices in the same event, neither being a DC. So again, which is the one generating the NTLM event that I need to be concerned about?

Also, I take it that these events arent replicated and I need to search all dc's fror these events. I still havent found any script to scrape these logs that works
Geoff Crookshanks 0 Reputation points

2025-01-14T17:02:22.09+00:00
I just started down this rabbit hole recently myself and based on what I've found so far, the following are the names of the secure channel types.

NullSecureChannel = 0,

MsvApSecureChannel = 1,

WorkstationSecureChannel = 2,

TrustedDnsDomainSecureChannel = 3,

TrustedDomainSecureChannel = 4,

UasServerSecureChannel = 5,

ServerSecureChannel = 6,

CdcServerSecureChannel = 7

So, Secure Channel type: 2 is described as 'WorkstationSecureChannel' which is then defined as 'A secure channel from a domain member to a Domain Controller.'

Knowing this, I'm assuming that the 'domain member' is the user and workstation accounts shown. (Yes, computers are people too in the world of AD) They are the source of the NTML request.

I'm still learning, but that's my educated guess so far.

1 answer

Your answer

Bob Pants 261 Reputation points

2023-11-08T03:41:09.0466667+00:00

I just can't make any sense of these logs. After enabling NTLM audit via GP using this document - https://woshub.com/disable-ntlm-authentication-windows/

After doing this, there is a new log created under Application and Service logs - NTLM/Operational which contains eventid 8006's. The issue is, these events contain many devies that do not appear at all in the 4624 events in the security log, so IDK which ones I am meant to be concerned about

The 8006 id also contains both a "Secure Channel Name" and a "Workstation" name, often are different devices in the same event, neither being a DC. So again, which is the one generating the NTLM event that I need to be concerned about?

Also, I take it that these events arent replicated and I need to search all dc's fror these events. I still havent found any script to scrape these logs that works
Geoff Crookshanks 0 Reputation points

2025-01-14T17:02:22.09+00:00

I just started down this rabbit hole recently myself and based on what I've found so far, the following are the names of the secure channel types.

NullSecureChannel = 0,

MsvApSecureChannel = 1,

WorkstationSecureChannel = 2,

TrustedDnsDomainSecureChannel = 3,

TrustedDomainSecureChannel = 4,

UasServerSecureChannel = 5,

ServerSecureChannel = 6,

CdcServerSecureChannel = 7

So, Secure Channel type: 2 is described as 'WorkstationSecureChannel' which is then defined as 'A secure channel from a domain member to a Domain Controller.'

Knowing this, I'm assuming that the 'domain member' is the user and workstation accounts shown. (Yes, computers are people too in the world of AD) They are the source of the NTML request.

I'm still learning, but that's my educated guess so far.

Answer 1

Anonymous

Hi,

You need to append a backtick (`) character to each line of a command if it's split into multiple lines. Please see if this works.

$Events = Get-WinEvent -Logname security -FilterXPath "Event[System[(EventID=4624)]]and Event[EventData[Data[@Name='LmPackageName']='NTLM V1']]" | Select-Object `
@{Label='Time';Expression={$_.TimeCreated.ToString('g')}}, `
@{Label='UserName';Expression={$_.Properties[5].Value}}, `
@{Label='WorkstationName';Expression={$_.Properties[11].Value}}, `
@{Label='LogonType';Expression={$_.properties[8].value}}, `
@{Label='ImpersonationLevel';Expression={$_.properties[20].value}}
$Events | Out-GridView

Best Regards,

Ian Xue

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Bob Pants 261 Reputation points

2023-11-07T22:49:37.6766667+00:00

Thanks, but the output is the same, it just repeats the same 'Secure Channel name' on every line and not the 'Workstation Name'
Nathan Dierkes 5 Reputation points

2024-06-06T12:42:16.1266667+00:00

@Bob Pants

Hi Bob, when I ran that query against a lab DC I received this info with out-gridview.

Are you not seeing the workstation name? What do you see in that field?

Share via

NTLM Auditing - Event logs

1 answer

Your answer