Query Details

DumpGuard NTLM challenge detected

Detect Dump Guard Ntlm Challenge

Query

DeviceNetworkEvents
// Get NTLM Challenges
| where ActionType == "NetworkSignatureInspected"
| where tostring(todynamic(AdditionalFields).SignatureName) =~ "NTLM-Challenge"
// Extract the NTLM Sample Packet
| extend SamplePacketContent = extract('\\["(.+)"\\]', 1, tostring(todynamic(AdditionalFields).SamplePacketContent))
// Remove % values, since the '1122334455667788' is easy to find without conversions
| extend NewSamplePacketContent = strcat_array(split(SamplePacketContent, "%"), "")
| where NewSamplePacketContent contains "1122334455667788"

About this query

Explanation

This query is designed to detect a specific type of security threat involving the DumpGuard tool, which attackers use to bypass Credential Guard on devices. Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at network events on devices, specifically those events where network signatures are inspected.

  2. Filter for NTLM Challenges: The query filters these events to find those related to NTLM challenges, a type of authentication process.

  3. Extract Packet Content: It extracts the content of the NTLM sample packet from the event data.

  4. Remove Encoding: The query removes any percentage encoding from the packet content to make it easier to analyze.

  5. Detect Hard-Coded Value: It checks if the packet content contains a specific hard-coded value ("1122334455667788") known to be used by the DumpGuard tool.

The purpose of this query is to identify potential misuse of the DumpGuard tool, which can be used to dump credentials even when Credential Guard is enabled. However, the detection relies on a static indicator (the hard-coded value), which can be easily changed by attackers, making this detection method less reliable. Nonetheless, if this specific pattern is detected, it is a strong indicator of a true positive security threat.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: October 24, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsAdditionalFieldsSignatureNameSamplePacketContent

Operators

DeviceNetworkEvents|where==tostringtodynamic=~extendextract1strcat_arraysplitcontains

MITRE Techniques

Actions

GitHub