What is a one sentence summary of your feature request?
Allow certain rules to have configurable logic
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Problem:
Split S-OldNTLM into two checks
Enhance action plan experience
The rule S-OldNtlm is designed to “ensure that the NTLMv1 and old LM protocols are banned.” However, this rule does not differentiate between sending NTLMv1 (Levels 0, 1, 2) and only accepting NTLMv1 (Levels 3 & 4).
While accepting NTLMv1 is not ideal, the major risk lies in sending NTLMv1 due to the potential for MITM (Man-In-The-Middle) attacks, relaying, and easy cracking.
Proposal:
Adding Action Plans in the consolidation view is something we should consider to unify the views. This will be added to the backlog for now, but it is definitely something we will look into.
We should split S-OldNTLM into two checks:
S-OldNTLM: Modify this to only identify enabled GPOs that send NTLMv1 (Levels 0, 1, 2).
S-OldNTLMDC: Create this to specifically target DCs that are not set to the recommended levels to reject LM and NTLMv1 (Levels below 5, with 5 being the most secure option).
Regarding Rule Logic Modification, this is not something we are actively pursuing at the moment. However, we can add it to the backlog. Additionally, we have an item on the backlog for custom rules via PowerShell to extend detection.
How do you currently solve the challenges you have by not having this feature?
You can filter these domains in the “Consolidation” section:
Go to Dashboard
Navigate to Risk Score
Select Consolidation
Choose Password
Go to Security settings
Search for: LAN Manager authentication level
Unfortunately, it is not possible to create Action Plans or similar actions. I also attempted to modify the Rule S-OldNtlm, but there is no option to change its behavior.