A user authenticated with weak NTLM to multiple hosts

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent

Detection Modules

Identity Analytics

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Use Alternate Authentication Material (T1550)

Severity

Informational

Description

A user account authenticated to multiple hosts via NTLMv1 or LM authentication for the first time in the past 30 days.

Attacker's Goals

The attacker attempts to gain access to the accounts.

Investigative actions

  • Audit all login events with a weaker protocol and review any anomalous usage.
  • Investigate the mentioned user for additional suspicious activity.