Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
10 Minutes |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time.
This may be indicative of a NTLM password spray attack.
Attacker's Goals
The attacker may attempt to guess user credential by password spray attack over multiple machines.
Investigative actions
Verify any successful authentication made by one of the user accounts referenced by the alert, as these may indicate the attacker managed to guess the credentials.