In Windows 11 version 24H2 and Windows Server 2025, new NTLM audit policy and events have been added. The enhanced audit supports improved security monitoring and identification of outdated NTLM authentication dependencies.
Previously, in new Windows operating systems, various protection methods against relay attacks, such as EPA, SMB signing, and LDAP channel binding, were enabled by default. However, when upgrading from older versions of the operating system, the settings will remain the same, and attacks will still work.
Therefore, pay attention to these new events:
— 4020 (Informational)
— 4021 (Warning) “This machine attempted to authenticate to a remote resource via NTLM”
— 4022 (Informational)
— 4023 (Warning) “A remote client is using NTLM to authenticate to this workstation”
These events can be used to detect coercing attacks or to analyze unusual NTLM authentication settings.
In the screenshot below, there is an example of a coercing attack: a chain of events 4023 and 4021 from the same IP address of the attacker:
