```yaml title: NTLM Hash Theft via Internal Monologue id: edr-win-cred-ntlm-internal-monologue status: stable description: > Detects modification of the RestrictSendingNTLMTraffic registry value to 0, which weakens NTLM restrictions and enables the Internal Monologue attack — extraction of NTLM hashes without touching LSASS. Observed in SocGholish-to-RansomHub intrusion chains. references: - https://github.com/eladshamir/Internal-Monologue - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.credential_access - attack.t1003 - attack.t1187 logsource: category: registry_set product: windows detection: selection: TargetObject|contains: 'RestrictSendingNTLMTraffic' Details: 'DWORD (0x00000000)' condition: selection falsepositives: - System administration lowering NTLM restrictions during migrations (should be documented change) - Ansible or automation modifying NTLM settings level: high ```