Machine Account NTLM Relay

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-15

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Palo Alto Networks Platform Logs OR XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic	Credential Access (TA0006) Lateral Movement (TA0008)
ATT&CK Technique	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
Severity	Low

An NTLM NTProofStr was seen from more than one source.
This indicates that machine account NTLM authentication data has been relayed.

The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.

Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior.
Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB).
Ensure that SMB signing is enabled in the case of a possible SMB relay attack.