From 028ce2a548014959aa9042dfdc348ad52afa3ba0 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 24 Feb 2021 13:22:25 +0100
Subject: [PATCH] fix: Sysmon NTLM downgrade attack - too many fps

---
 .../builtin/win_net_ntlm_downgrade.yml        | 23 ++++---------------
 1 file changed, 5 insertions(+), 18 deletions(-)

diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml
index be83d333a..ff5a1f4c1 100644
--- a/rules/windows/builtin/win_net_ntlm_downgrade.yml
+++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml
@@ -6,29 +6,12 @@ references:
     - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 author: Florian Roth
 date: 2018/03/20
-modified: 2020/08/23
+modified: 2021/02/24
 tags:
     - attack.defense_evasion
     - attack.t1089          # an old one
     - attack.t1562.001
     - attack.t1112
-detection:
-    condition: 1 of them
-falsepositives:
-    - Unknown
-level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 13
-        TargetObject: 
-            - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
-            - '*SYSTEM\\*ControlSet*\Control\Lsa*\NtlmMinClientSec'
-            - '*SYSTEM\\*ControlSet*\Control\Lsa*\RestrictSendingNTLMTraffic'
----
 # Windows Security Eventlog: Process Creation with Full Command Line
 logsource:
     product: windows
@@ -42,3 +25,7 @@ detection:
             - 'LmCompatibilityLevel'
             - 'NtlmMinClientSec'
             - 'RestrictSendingNTLMTraffic'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
\ No newline at end of file