Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user account authenticated to multiple hosts via NTLMv1 or LM authentication for the first time in the past 30 days.
Attacker's Goals
The attacker attempts to gain access to the accounts.
Investigative actions
- Audit all login events with a weaker protocol and review any anomalous usage.
- Investigate the mentioned user for additional suspicious activity.