Getting rid of NTLM is easier now

🔒 Secure Bits 💡
𝗚𝗲𝘁𝘁𝗶𝗻𝗴 𝗿𝗶𝗱 𝗼𝗳 𝗡𝗧𝗟𝗠 𝗶𝘀 𝗳𝗶𝗻𝗮𝗹𝗹𝘆 𝗲𝗮𝘀𝗶𝗲𝗿 (𝗮𝗻𝗱 𝘀𝗺𝗮𝗿𝘁𝗲𝗿)

In Windows 11 version 24H2 and Windows Server 2025, Microsoft introduced 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝗱 𝗡𝗧𝗟𝗠 𝗹𝗼𝗴𝗴𝗶𝗻𝗴 — and it’s a game changer for organizations trying to decommission NTLM.

Let’s break it down 👇

⸻
𝗢𝗟𝗗 𝗪𝗔𝗬

🛠 𝗚𝗣𝗢:
• 𝘚𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘚𝘦𝘵𝘵𝘪𝘯𝘨𝘴 > 𝘈𝘥𝘷𝘢𝘯𝘤𝘦𝘥 𝘈𝘶𝘥𝘪𝘵 𝘗𝘰𝘭𝘪𝘤𝘺 𝘊𝘰𝘯𝘧𝘪𝘨𝘶𝘳𝘢𝘵𝘪𝘰𝘯 > 𝘈𝘤𝘤𝘰𝘶𝘯𝘵 𝘓𝘰𝘨𝘰𝘯 > 𝘈𝘶𝘥𝘪𝘵 𝘊𝘳𝘦𝘥𝘦𝘯𝘵𝘪𝘢𝘭 𝘝𝘢𝘭𝘪𝘥𝘢𝘵𝘪𝘰𝘯
• 𝘚𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘚𝘦𝘵𝘵𝘪𝘯𝘨𝘴 > 𝘈𝘥𝘷𝘢𝘯𝘤𝘦𝘥 𝘈𝘶𝘥𝘪𝘵 𝘗𝘰𝘭𝘪𝘤𝘺 𝘊𝘰𝘯𝘧𝘪𝘨𝘶𝘳𝘢𝘵𝘪𝘰𝘯 > 𝘓𝘰𝘨𝘰𝘯/𝘓𝘰𝘨𝘰𝘧𝘧 > 𝘈𝘶𝘥𝘪𝘵 𝘓𝘰𝘨𝘰𝘯

📄 𝗘𝘃𝗲𝗻𝘁𝘀:
• 4776 — NTLM usage (no version, no reason, no process)
• 4624 — NTLM 𝘃𝗲𝗿𝘀𝗶𝗼𝗻 shown – must be collected on the client side

❌ It was hard to get a global view of NTLM usage and the context behind it.

⸻
“𝗡𝗘𝗪𝗘𝗥” 𝗪𝗔𝗬

🛠 𝗚𝗣𝗢:
• 𝘓𝘰𝘤𝘢𝘭 𝘗𝘰𝘭𝘪𝘤𝘪𝘦𝘴 > 𝘚𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘖𝘱𝘵𝘪𝘰𝘯𝘴 > 𝘕𝘦𝘵𝘸𝘰𝘳𝘬 𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺: 𝘙𝘦𝘴𝘵𝘳𝘪𝘤𝘵 𝘕𝘛𝘓𝘔: 𝘈𝘶𝘥𝘪𝘵…

📄 𝗘𝘃𝗲𝗻𝘁𝘀:
• 8001 — Client: outgoing NTLM blocked; shows 𝗽𝗿𝗼𝗰𝗲𝘀𝘀; no version
• 8002 — Target device: incoming NTLM blocked
• 8003 — Service host: NTLM blocked; shows process; no version
• 8004–8006 — NTLM authentication blocks on DC

⚠️ These events show which process initiated the NTLM authentication (plus details) and whether it would be/was blocked. But we still lack a DC-side log that captures the full NTLM transaction.

⸻
𝗡𝗘𝗪

🛠 𝗚𝗣𝗢:
• 𝘈𝘥𝘮𝘪𝘯𝘪𝘴𝘵𝘳𝘢𝘵𝘪𝘷𝘦 𝘛𝘦𝘮𝘱𝘭𝘢𝘵𝘦𝘴 > 𝘚𝘺𝘴𝘵𝘦𝘮 > 𝘕𝘛𝘓𝘔 > 𝘕𝘛𝘓𝘔 𝘌𝘯𝘩𝘢𝘯𝘤𝘦𝘥 𝘓𝘰𝘨𝘨𝘪𝘯𝘨
• 𝘈𝘥𝘮𝘪𝘯𝘪𝘴𝘵𝘳𝘢𝘵𝘪𝘷𝘦 𝘛𝘦𝘮𝘱𝘭𝘢𝘵𝘦𝘴 > 𝘚𝘺𝘴𝘵𝘦𝘮 > 𝘕𝘦𝘵𝘭𝘰𝘨𝘰𝘯 > 𝘓𝘰𝘨 𝘌𝘯𝘩𝘢𝘯𝘤𝘦𝘥 𝘋𝘰𝘮𝘢𝘪𝘯-𝘸𝘪𝘥𝘦 𝘕𝘛𝘓𝘔 𝘓𝘰𝘨𝘴

📄 𝗘𝘃𝗲𝗻𝘁𝘀:
• 4020/4021 — Client-side: NTLM version, 𝗽𝗿𝗼𝗰𝗲𝘀𝘀, and 𝗿𝗲𝗮𝘀𝗼𝗻
• 4022/4023 — Server-side: NTLM version and local process
• 4030/4031 — DC-side: NTLM version, service, cross-domain
• 4032/4033 — DC-side: NTLM 𝘃𝗲𝗿𝘀𝗶𝗼𝗻, service, same-domain

🎯 On the client, you’ll see why NTLM fired, but the 𝗱𝗼𝗺𝗮𝗶𝗻 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗲𝗿 𝗴𝗶𝘃𝗲𝘀 𝘆𝗼𝘂 𝘁𝗵𝗲 𝗱𝗲𝘁𝗮𝗶𝗹𝘀 𝘆𝗼𝘂 𝗮𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝗻𝗲𝗲𝗱 (NTLM version, SPN, etc.). Start your review on the DC to map where NTLM is used, then drill down into specific clients/servers as needed.

⸻

❓𝗦𝘁𝗶𝗹𝗹 𝗿𝗲𝗹𝘆𝗶𝗻𝗴 𝗼𝗻 𝗡𝗧𝗟𝗠 in your environment?