Kerberos Pre-Auth Failures by Host

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Hour

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force (T1110)

Severity

Low

Description

The endpoint failed an unusual number of Kerberos pre-authentications (TGT requests) from at least three users when compared to its baseline.
This can indicate a password-spraying attack.

Attacker's Goals

The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.

Investigative actions

  • Verify whether the host that generated the alert is normally used by many users (for example, a terminal server).
  • Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.