This detection rule identifies instances where NTLMv1 authentication is being utilized between a client and a server. NTLMv1 poses significant security risks due to its weak encryption algorithms, which can be easily compromised with modern computational power. The rule specifically targets events reported by the LsaSrv provider, using Event IDs 6038 and 6039 to capture relevant log entries indicating NTLMv1 usage. The detection is critical for maintaining security standards and mitigating the chances of lateral movement by attackers in a Windows environment. While NTLMv1 may be used in some legitimate cases, its presence should be flagged and addressed to ensure the integrity of network communications. This serves as a warning to systems administrators to consider upgrading to more secure authentication protocols like NTLMv2 or Kerberos for their environments. Recommendations include systematically phasing out NTLMv1 across network infrastructure and regularly scanning for compliance to improve overall security posture.