heroui logo

Network-Level Authentication (NLA) Disabled

Elastic Detection Rules

View Source
Summary
This detection rule identifies attempts to disable Network-Level Authentication (NLA) on Windows systems through specific registry modifications. NLA is a security feature that requires user authentication before a full Remote Desktop Protocol (RDP) session can begin. Attackers may modify the registry to disable NLA, allowing them to gain access to the Windows sign-in screen without prior authentication, potentially facilitating persistence techniques such as using Accessibility Features like Sticky Keys. The rule employs EQL (Event Query Language) to monitor specific registry paths and values related to NLA. When the value for UserAuthentication in the Windows registry is altered to indicate NLA is disabled (set to "0" or "0x00000000"), the event is detected, and alerts are triggered. Investigative follow-ups include reviewing event logs, checking for unauthorized user activities, and examining recent RDP connections to assess the potential for unauthorized access that may occur due to the NLA being disabled. The design of this detection rule assists security teams in addressing unauthorized attempts at system control and integrity.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
  • Process
  • Logon Session
  • User Account
ATT&CK Techniques
  • T1112
  • T1562
Created: 2023-08-25