NTLM Relay

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An NTLM NTProofStr was seen from more than one source.
This indicates that NTLM authentication data has been relayed.

Attacker's Goals

The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.

Investigative actions

  • Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior.
  • Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB).
  • Ensure that SMB signing is enabled in the case of a possible SMB relay attack.