Silverfort has uncovered a significant misconfiguration in Active Directory Group Policy that allows NTLMv1 authentications to persist despite attempts to disable it. This flaw poses a security risk for organizations using on-prem applications, as attackers can exploit this vulnerability to gain unauthorized access. Affected: Active Directory, NTLMv1
Keypoints :
- Silverfort’s research reveals a misconfiguration in Group Policy that allows NTLMv1 authentications to continue.
- 64% of Active Directory user accounts still use NTLM, exposing organizations to risks.
- Attackers can leverage NTLMv1 vulnerabilities for lateral movement and privilege escalation.
- Microsoft plans to fully remove NTLMv1 in upcoming versions of Windows.
- Organizations are encouraged to audit and map NTLM authentications to mitigate risks.
MITRE Techniques :
- T1075: Pass the Hash – Attackers can use NTLMv1 hashes to authenticate and gain access to systems.
- T1078: Valid Accounts – Exploiting NTLMv1 to authenticate as legitimate users.
- T1086: PowerShell – Utilizing PowerShell scripts to interact with NTLMv1 for lateral movement.
Indicator of Compromise :
- No IoC found
Full Research: https://www.silverfort.com/blog/ntlmv1-bypass-in-active-directory-technical-deep-dive/