Public Rainbow Tables Sharpen NTLMv1 Attacks, Prompting Urgent Remediation
Mandiant publicly released Net-NTLMv1 rainbow tables, making NTLMv1 hash cracking practical with modest hardware and lowering barriers for admin-level credential compromise. The dataset, hosted via Google Cloud, underscores the urgent need to disable Net-NTLMv1 and migrate to NTLMv2; organizations should monitor for LM/NTLMv1 usage in Windows Event logs (e.g., Event ID 4624) and implement robust detection and remediation to prevent post-compromise downgrades and broader AD compromise (e.g., DCSync attacks).