What happened?
Mandiant (Google’s incident response, digital forensics, and threat intelligence division) has publicly released a comprehensive dataset of Net-NTLMv1 rainbow tables, generated using Google Cloud's scalable compute resources. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades, Mandiant consultants continue to identify its use in active environments. By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1. While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys. This dataset now allows defenders and researchers to recover keys in under 12 hours using consumer hardware costing less than $600 USD.
So what?
If an attacker can capture certain authentication data from a system still using Net-NTLMv1, they can use these rainbow tables to crack the password in a matter of hours. Once they have the password, they can impersonate that account; and if it belongs to a privileged system like a domain controller, they can gain access to every other account in the organisation's network. Despite being outdated and insecure, many organisations still use this protocol simply because they haven't gotten around to changing it, or because the risk hasn't seemed urgent enough until now.
What should I do?
Organisations should immediately disable the use of Net-NTLMv1.
For local computer policy
Navigate to "Local Security Settings" > "Local Policies" > "Security Options" > "Network security: LAN Manager authentication level" and set to "Send NTLMv2 response only".
For group policy
Navigate to "Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings" > "Local Policies" > "Security Options" > "Network Security: LAN Manager authentication level" and set to "Send NTLMv2 response only".
Additionally, organisations should implement monitoring and alerting for Net-NTLMv1 usage by filtering Event Logs for Event ID 4624 ("An Account was successfully logged on") and checking the "Package Name (NTLM only)" attribute under "Detailed Authentication Information"—if the value is "LM" or "NTLMv1", the legacy protocol was used.