Microsoft-Windows-NTLM

21 events across 3 channels

Event	Title	Channel	Sample
100	NTLM authentication failed because the account was a member of the Protected …	ProtectedUserFailures-DomainController	N
101	NTLM authentication failed because access control restrictions are required.	AuthenticationPolicyFailures-DomainController	N
301	NTLM authentication succeded, but it will fail when Authentication Policy is …	AuthenticationPolicyFailures-DomainController	N
4001	NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that …	Operational	Y
4002	NTLM server blocked: Incoming NTLM traffic to servers that is blocked.	Operational	N
4003	NTLM server blocked in the domain: NTLM authentication in this domain that is …	Operational	N
4010	NTLM Minimum Client Security Block.	Operational	N
4011	NTLM Minimum Server Security Block.	Operational	N
4012	NTLM client used the domain password.	Operational	N
4013	Attempt to use NTLMv1 failed.	Operational	N
4014	Attempt to get credential key by call package blocked by Credential Guard.	Operational	Y
4015	NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that …	Operational	N
4020	This machine attempted to authenticate to a remote resource via NTLM.	Operational	N
4021	This machine attempted to authenticate to a remote resource via NTLM.	Operational	N
4022	A remote client is using NTLM to authenticate to this workstation.	Operational	N
4023	A remote client is using NTLM to authenticate to this workstation.	Operational	N
4024	Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On.	Operational	N
4025	An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due …	Operational	N
8001	NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would …	Operational	Y
8002	NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked.	Operational	Y
8003	NTLM server blocked in the domain audit: Audit NTLM authentication in this …	Operational	Y

Event ID 100: NTLM authentication failed because the account was a member of the Protected User group.

Provider: Microsoft-Windows-NTLM
Channel: ProtectedUserFailures-DomainController

Description

NTLM authentication failed because the account was a member of the Protected User group.

Message #

NTLM authentication failed because the account was a member of the Protected User group.

Account Name: %1
Device Name: %2
Error Code: %3

Fields #

Name	Description
`AccountName` UnicodeString
`DeviceName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 101: NTLM authentication failed because access control restrictions are required.

Provider: Microsoft-Windows-NTLM
Channel: AuthenticationPolicyFailures-DomainController

Description

NTLM authentication failed because access control restrictions are required.

Message #

NTLM authentication failed because access control restrictions are required.

Account Name: %1
Device Name: %2
Error Code: %3

Authentication Policy Information:
	Silo Name: %4
	PolicyName: %5

Fields #

Name	Description
`AccountName` UnicodeString
`DeviceName` UnicodeString
`Status` HexInt32	NTSTATUS reference
`SiloName` UnicodeString
`PolicyName` UnicodeString	[Authentication Policy Information] PolicyName.

Event ID 301: NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required.

Provider: Microsoft-Windows-NTLM
Channel: AuthenticationPolicyFailures-DomainController

Description

NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required.

Message #

NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required.

Account Name: %1
Device Name: %2
Error Code: %3

Authentication Policy Information:
	Silo Name: %4
	PolicyName: %5

Fields #

Name	Description
`AccountName` UnicodeString
`DeviceName` UnicodeString
`Status` HexInt32	NTSTATUS reference
`SiloName` UnicodeString
`PolicyName` UnicodeString	[Authentication Policy Information] PolicyName.

Event ID 4001: NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Warning
Collection Priority: Recommended (Yamato Security)
Task: BlockingNTLM

Description

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Message #

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

NTLM authentication requests from this computer are blocked.

If you want to allow this computer to use NTLM authentication, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.

If you want only the target server %1 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server %1 as an exception to use NTLM authentication.

Fields #

Name	Description
`TargetName` UnicodeString
`UserName` UnicodeString
`DomainName` UnicodeString
`CallerPID` UInt32
`ProcessName` UnicodeString
`ClientLUID` HexInt64
`ClientUserName` UnicodeString
`ClientDomainName` UnicodeString
`MechanismOID` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "ac43300d-5fcc-4800-8e99-1bd3f85f0320",
    "event_source_name": "",
    "event_id": 4001,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-05-03T21:03:06.9528515+00:00",
    "event_record_id": 32,
    "correlation": {
      "ActivityID": "64478093-d4f9-0001-1c81-4764f9d4dc01",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 976,
      "thread_id": 1364
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "DESKTOP-K7Q9MS2",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetName": "cifs/127.0.0.1",
    "UserName": "bogus",
    "DomainName": "BOGUS",
    "CallerPID": "4",
    "ProcessName": "",
    "ClientLUID": "0x4641e93",
    "ClientUserName": "localuser",
    "ClientDomainName": "DESKTOP-K7Q9MS2",
    "MechanismOID": "(NULL)"
  },
  "message": "NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.\r\nTarget server: cifs/127.0.0.1\r\nSupplied user: bogus\r\nSupplied domain: BOGUS\r\nPID of client process: 4\r\nName of client process: \r\nLUID of client process: 0x4641E93\r\nUser identity of client process: localuser\r\nDomain name of user identity of client process: DESKTOP-K7Q9MS2\r\nMechanism OID: (NULL)\r\n\r\nNTLM authentication requests from this computer are blocked.\r\n\r\nIf you want to allow this computer to use NTLM authentication, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.\r\n\r\nIf you want only the target server cifs/127.0.0.1 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server cifs/127.0.0.1 as an exception to use NTLM authentication."
}

Event ID 4002: NTLM server blocked: Incoming NTLM traffic to servers that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: BlockingNTLM

Description

NTLM server blocked: Incoming NTLM traffic to servers that is blocked.

Message #

NTLM server blocked: Incoming NTLM traffic to servers that is blocked
Calling process PID: %1
Calling process name: %2
Calling process LUID: %3
Calling process user identity: %4
Calling process domain identity: %5
Mechanism OID: %6

NTLM authentication requests to this server have been blocked.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

Fields #

Name	Description
`CallerPID` UInt32
`ProcessName` UnicodeString
`ClientLUID` HexInt64
`ClientUserName` UnicodeString
`ClientDomainName` UnicodeString
`MechanismOID` UnicodeString

Event ID 4003: NTLM server blocked in the domain: NTLM authentication in this domain that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: BlockingNTLM

Description

NTLM server blocked in the domain: NTLM authentication in this domain that is blocked.

Message #

NTLM server blocked in the domain: NTLM authentication in this domain that is blocked
User: %1
Domain: %2
Workstation: %3
PID: %4
Process: %5
Logon type: %6
InProc: %7
Mechanism: %8

NTLM authentication within the domain %2 is blocked.

If you want to allow NTLM authentication requests in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

Fields #

Name	Description
`UserName` UnicodeString
`DomainName` UnicodeString
`Workstation` UnicodeString
`CallerPID` UInt32
`ProcessName` UnicodeString
`LogonType` UInt32	Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). Logon type reference
`InProc` Boolean
`MechanismOID` UnicodeString

Event ID 4010: NTLM Minimum Client Security Block.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

NTLM Minimum Client Security Block.

Message #

NTLM Minimum Client Security Block:
Calling process PID: %1
Calling Process Name: %2
Negotiated Security Flags: %3
Minimum Security Flags: %4

Fields #

Name	Description
`CallerPID` UInt32
`ProcessName` UnicodeString
`NegotiatedSecurity` HexInt32
`RequiredSecurity` HexInt32

Event ID 4011: NTLM Minimum Server Security Block.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

NTLM Minimum Server Security Block.

Message #

NTLM Minimum Server Security Block:
Calling process PID: %1
Calling Process Name: %2
Negotiated Security Flags: %3
Minimum Security Flags: %4

Fields #

Name	Description
`CallerPID` UInt32
`ProcessName` UnicodeString
`NegotiatedSecurity` HexInt32
`RequiredSecurity` HexInt32

Event ID 4012: NTLM client used the domain password.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

NTLM client used the domain password. The attempt to use the DC-generated NTLM secret failed, and fallback to the domain password succeeded.

Message #

NTLM client used the domain password. The attempt to use the DC-generated NTLM secret failed, and fallback to the domain password succeeded.
Account Name: %1
Device Name: %2

Fields #

Name	Description
`AccountName` UnicodeString
`DeviceName` UnicodeString

Event ID 4013: Attempt to use NTLMv1 failed.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Attempt to use NTLMv1 failed.

Message #

Attempt to use NTLMv1 failed.

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

This device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826.

Fields #

Name	Description
`TargetName` UnicodeString
`UserName` UnicodeString
`DomainName` UnicodeString
`CallerPID` UInt32
`ProcessName` UnicodeString
`ClientLUID` HexInt64
`ClientUserName` UnicodeString
`ClientDomainName` UnicodeString
`MechanismOID` UnicodeString

Event ID 4014: Attempt to get credential key by call package blocked by Credential Guard.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Error
Collection Priority: Recommended (Yamato Security)

Description

Attempt to get credential key by call package blocked by Credential Guard.

Message #

Attempt to get credential key by call package blocked by Credential Guard.

Calling Process Name: %1
Service Host Tag: %2

Fields #

Name	Description
`ImageName` UnicodeString
`SvcHostTag` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "AC43300D-5FCC-4800-8E99-1BD3F85F0320",
    "event_source_name": "",
    "event_id": 4014,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T01:53:29.127433+00:00",
    "event_record_id": 1103,
    "correlation": {
      "ActivityID": "EFDC13CA-B670-4786-969E-784D6C91B8C8"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 6076
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ImageName": "svchost",
    "SvcHostTag": ""
  },
  "message": ""
}

Event ID 4015: NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: BlockingNTLM

Description

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.

Message #

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

An application on this computer attempted NTLM for authentication but the application explicitly blocks NTLM usage. Using an IP address or local user credentials from a remote computer may lead to an NTLM authentication attempt. This event does not mean that NTLM is blocked for all authentication attempts from this computer.

Fields #

Name	Description
`TargetName` UnicodeString
`UserName` UnicodeString
`DomainName` UnicodeString
`CallerPID` UInt32
`ProcessName` UnicodeString
`ClientLUID` HexInt64
`ClientUserName` UnicodeString
`ClientDomainName` UnicodeString
`MechanismOID` UnicodeString

Event ID 4020: This machine attempted to authenticate to a remote resource via NTLM.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: AuditingNTLM

Description

This machine attempted to authenticate to a remote resource via NTLM.

Message #

This machine attempted to authenticate to a remote resource via NTLM.

Process Information:
	Process Name: %1
	Process PID: %2

Client Information:
	Username: %3
	Domain: %4
	Hostname: %5 
	Sign-On Type: %6

Target Information:
	Target Machine: %7
	Target Domain: %8
	Target Resource: %9
	Target IP: %10
	Target Network Name: %11

NTLM Usage:
	Reason ID: %12
	Reason: %13

NTLM Security:
	Negotiated Flags: %14
	NTLM Version: %15
	Session Key Status: %16
	Channel Binding: %17
	Service Binding: %18
	MIC Status: %19
	AvFlags: %20
	AvFlags String: %21

For more information, see aka.ms/ntlmlogandblock

Fields #

Name	Description
`ProcessName` UnicodeString
`ProcessPID` HexInt32
`Username` UnicodeString
`DomainName` UnicodeString
`Hostname` UnicodeString
`SingleSignOn` UnicodeString
`TargetMachine` UnicodeString
`TargetDomain` UnicodeString
`TargetService` UnicodeString
`TargetIP` UnicodeString
`TargetNetworkName` UnicodeString
`NtlmUsageId` UInt32
`NtlmUsageReason` UnicodeString
`NegotiatedFlags` HexInt32
`NtlmVersion` UnicodeString
`SessionKeyStatus` UnicodeString
`ChannelBindingStatus` UnicodeString
`ServiceBinding` UnicodeString
`MicStatus` UnicodeString
`AvlFlags` HexInt32
`AvlFlagsStr` UnicodeString

Event ID 4021: This machine attempted to authenticate to a remote resource via NTLM.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: AuditingNTLM

Description

This machine attempted to authenticate to a remote resource via NTLM.

Message #

This machine attempted to authenticate to a remote resource via NTLM.

Process Information:
	Process Name: %1
	Process PID: %2

Client Information:
	Username: %3
	Domain: %4
	Hostname: %5 
	Sign-On Type: %6

Target Information:
	Target Machine: %7
	Target Domain: %8
	Target Resource: %9
	Target IP: %10
	Target Network Name: %11

NTLM Usage:
	Reason ID: %12
	Reason: %13

NTLM Security:
	Negotiated Flags: %14
	NTLM Version: %15
	Session Key Status: %16
	Channel Binding: %17
	Service Binding: %18
	MIC Status: %19
	AvFlags: %20
	AvFlags String: %21

For more information, see aka.ms/ntlmlogandblock

Fields #

Name	Description
`ProcessName` UnicodeString
`ProcessPID` HexInt32
`Username` UnicodeString
`DomainName` UnicodeString
`Hostname` UnicodeString
`SingleSignOn` UnicodeString
`TargetMachine` UnicodeString
`TargetDomain` UnicodeString
`TargetService` UnicodeString
`TargetIP` UnicodeString
`TargetNetworkName` UnicodeString
`NtlmUsageId` UInt32
`NtlmUsageReason` UnicodeString
`NegotiatedFlags` HexInt32
`NtlmVersion` UnicodeString
`SessionKeyStatus` UnicodeString
`ChannelBindingStatus` UnicodeString
`ServiceBinding` UnicodeString
`MicStatus` UnicodeString
`AvlFlags` HexInt32
`AvlFlagsStr` UnicodeString

Event ID 4022: A remote client is using NTLM to authenticate to this workstation.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: AuditingNTLM

Description

A remote client is using NTLM to authenticate to this workstation.

Message #

A remote client is using NTLM to authenticate to this workstation.

Process Information:
	Process Name: %1
	Process PID: %2

Remote Client Information:
	Username: %3
	Domain: %4
	Client Machine: %5
	Client IP: %6
	Client Network Name: %7

NTLM Security:
	Negotiated Flags: %8
	NTLM Version: %9
	Session Key Status: %10
	Channel Binding: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	MIC Status: %15
	AvlFlags: %16
	AvlFlags String: %17

Status: %18
Status Message: %19

For more information, see aka.ms/ntlmlogandblock

Fields #

Name	Description
`ProcessName` UnicodeString
`ProcessPID` HexInt32
`Username` UnicodeString
`DomainName` UnicodeString
`RemoteClientMachine` UnicodeString
`ClientIP` UnicodeString
`ClientNetworkName` UnicodeString
`NegotiatedFlags` HexInt32
`NtlmVersion` UnicodeString
`SessionKeyStatus` UnicodeString
`ChannelBindingStatus` UnicodeString
`ServiceBinding` UnicodeString
`TargetMachine` UnicodeString
`TargetDomain` UnicodeString
`MicStatus` UnicodeString
`AvFlags` HexInt32
`AvFlagsStr` UnicodeString
`Status` HexInt32	NTSTATUS reference
`StatusMsg` UInt32

Event ID 4023: A remote client is using NTLM to authenticate to this workstation.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: AuditingNTLM

Description

A remote client is using NTLM to authenticate to this workstation.

Message #

A remote client is using NTLM to authenticate to this workstation.

Process Information:
	Process Name: %1
	Process PID: %2

Remote Client Information:
	Username: %3
	Domain: %4
	Client Machine: %5
	Client IP: %6
	Client Network Name: %7

NTLM Security:
	Negotiated Flags: %8
	NTLM Version: %9
	Session Key Status: %10
	Channel Binding: %11
	Service Binding: %12
	Target Machine: %13
	Target Domain: %14
	MIC Status: %15
	AvlFlags: %16
	AvlFlags String: %17

Status: %18
Status Message: %19

For more information, see aka.ms/ntlmlogandblock

Fields #

Name	Description
`ProcessName` UnicodeString
`ProcessPID` HexInt32
`Username` UnicodeString
`DomainName` UnicodeString
`RemoteClientMachine` UnicodeString
`ClientIP` UnicodeString
`ClientNetworkName` UnicodeString
`NegotiatedFlags` HexInt32
`NtlmVersion` UnicodeString
`SessionKeyStatus` UnicodeString
`ChannelBindingStatus` UnicodeString
`ServiceBinding` UnicodeString
`TargetMachine` UnicodeString
`TargetDomain` UnicodeString
`MicStatus` UnicodeString
`AvFlags` HexInt32
`AvFlagsStr` UnicodeString
`Status` HexInt32	NTSTATUS reference
`StatusMsg` UInt32

Event ID 4024: Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On.

Message #

Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On. 

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

For more information, see https://go.microsoft.com/fwlink/?linkid=2321802.

Fields #

Name	Description
`TargetName` UnicodeString
`UserName` UnicodeString
`DomainName` UnicodeString
`CallerPID` UInt32
`ProcessName` UnicodeString
`ClientLUID` HexInt64
`ClientUserName` UnicodeString
`ClientDomainName` UnicodeString
`MechanismOID` UnicodeString

Event ID 4025: An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy.

Message #

An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy.

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

For more information, see https://go.microsoft.com/fwlink/?linkid=2321802.

Fields #

Name	Description
`TargetName` UnicodeString
`UserName` UnicodeString
`DomainName` UnicodeString
`CallerPID` UInt32
`ProcessName` UnicodeString
`ClientLUID` HexInt64
`ClientUserName` UnicodeString
`ClientDomainName` UnicodeString
`MechanismOID` UnicodeString

Event ID 8001: NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: AuditingNTLM

Description

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

Message #

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.
Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

Audit the NTLM authentication requests from this computer that would be blocked by the target server %1 if the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Deny all.

If you want all servers to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.

If you want only the target server %1 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server %1 as an exception to use NTLM authentication.

Fields #

Name	Description	Rules
`TargetName` UnicodeString		1 detection rule
`UserName` UnicodeString
`DomainName` UnicodeString
`CallerPID` UInt32
`ProcessName` UnicodeString
`ClientLUID` HexInt64
`ClientUserName` UnicodeString
`ClientDomainName` UnicodeString
`MechanismOID` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "{AC43300D-5FCC-4800-8E99-1BD3F85F0320}",
    "event_source_name": "",
    "event_id": 8001,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-30T14:11:17.9857991+00:00",
    "event_record_id": 1127,
    "correlation": {
      "ActivityID": "{67027F60-11EF-4815-84ED-F5CEDD82DBFC}"
    },
    "execution": {
      "process_id": 868,
      "thread_id": 10552
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetName": "cifs/10.2.10.21",
    "UserName": "(NULL)",
    "DomainName": "(NULL)",
    "CallerPID": "4",
    "ProcessName": "-",
    "ClientLUID": "0xf3b7f",
    "ClientUserName": "domainadmin",
    "ClientDomainName": "ludus",
    "MechanismOID": "(NULL)"
  },
  "message": "NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.\r\nTarget server: cifs/10.2.10.21\r\nSupplied user: (NULL)\r\nSupplied domain: (NULL)\r\nPID of client process: 4\r\nName of client process: -\r\nLUID of client process: 0xF3B7F\r\nUser identity of client process: domainadmin\r\nDomain name of user identity of client process: ludus\r\nMechanism OID: (NULL)\r\n\r\nAudit the NTLM authentication requests from this computer that would be blocked by the target server cifs/10.2.10.21 if the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Deny all.\r\n\r\nIf you want all servers to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Allow all.\r\n\r\nIf you want only the target server cifs/10.2.10.21 to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server cifs/10.2.10.21 as an exception to use NTLM authentication."
}

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Potential Remote Desktop Connection to Non-Domain Host source medium: Detects logons using NTLM to hosts that are potentially not part of the domain.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)

Event ID 8002: NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: AuditingNTLM

Description

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked.

Message #

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: %1
Calling process name: %2
Calling process LUID: %3
Calling process user identity: %4
Calling process domain identity: %5
Mechanism OID: %6

Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

Fields #

Name	Description
`CallerPID` UInt32
`ProcessName` UnicodeString
`ClientLUID` HexInt64
`ClientUserName` UnicodeString
`ClientDomainName` UnicodeString
`MechanismOID` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "AC43300D-5FCC-4800-8E99-1BD3F85F0320",
    "event_source_name": "",
    "event_id": 8002,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T02:56:00.824258+00:00",
    "event_record_id": 1104,
    "correlation": {
      "ActivityID": "CC8E79E3-F5C5-4F46-89CF-44829F945FA1"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 12064
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CallerPID": 720,
    "ProcessName": "C:\\Windows\\System32\\lsass.exe",
    "ClientLUID": "0x3e4",
    "ClientUserName": "LAB-WIN11$",
    "ClientDomainName": "WORKGROUP",
    "MechanismOID": "(NULL)"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

NTLM Logon source low: Detects logons using NTLM, which could be caused by a legacy source or attackers

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)

Event ID 8003: NTLM server blocked in the domain audit: Audit NTLM authentication in this domain.

Provider: Microsoft-Windows-NTLM
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: AuditingNTLM

Description

NTLM server blocked in the domain audit: Audit NTLM authentication in this domain.

Message #

NTLM server blocked in the domain audit: Audit NTLM authentication in this domain
User: %1
Domain: %2
Workstation: %3
PID: %4
Process: %5
Logon type: %6
InProc: %7
Mechanism: %8

Audit NTLM authentication requests within this domain that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to Deny for domain servers or Deny domain accounts to domain servers.

If you want to allow NTLM authentication requests in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain %1, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain to use NTLM authentication.

Fields #

Name	Description
`UserName` UnicodeString
`DomainName` UnicodeString
`Workstation` UnicodeString
`CallerPID` UInt32
`ProcessName` UnicodeString
`LogonType` UInt32	Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). Logon type reference
`InProc` Boolean
`MechanismOID` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NTLM",
    "guid": "AC43300D-5FCC-4800-8E99-1BD3F85F0320",
    "event_source_name": "",
    "event_id": 8003,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-09T00:55:20.842728+00:00",
    "event_record_id": 957,
    "correlation": {
      "ActivityID": "4F958266-269A-4D65-B9BD-F5FA499B7442"
    },
    "execution": {
      "process_id": 764,
      "thread_id": 3132
    },
    "channel": "Microsoft-Windows-NTLM/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UserName": "domainuser",
    "DomainName": "LUDUS",
    "Workstation": "(NULL)",
    "CallerPID": 764,
    "ProcessName": "C:\\Windows\\System32\\lsass.exe",
    "LogonType": 3,
    "InProc": true,
    "MechanismOID": "(NULL)"
  },
  "message": ""
}

Community Notes #

Appearing prior to 4624/4776 may indicate unsuccessful coercion probes.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID ac43300d-5fcc-4800-8e99-1bd3f85f0320

Defined in msv1_0.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4050, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)