Suspicious NTLM authentication with machine account

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-03-09

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Palo Alto Networks Platform Logs OR XDR Agent
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Forced Authentication (T1187)
Severity	Informational

A suspicious NTLM authentication attempt was made by a machine account.

An attacker aims to exploit authentication protocols to steal credentials and enable lateral movement within the network.

Identify the source and target users and hosts involved in the NTLM authentication attempt.
Monitor the users associated with the authentication for any further suspicious activities or unauthorized actions.
Look for earlier connections to the source which may cause it to initiate the session.
Investigate the root cause of the behavior and determine if it can be mitigated or blocked in the future.

A rare and sensitive NTLM authentication attempt was made by a machine account.

An attacker aims to exploit authentication protocols to steal credentials and enable lateral movement within the network.

Check for signs of data exfiltration from any internet-facing destination server.
Identify the source and target users and hosts involved in the NTLM authentication attempt.
Monitor the users associated with the authentication for any further suspicious activities or unauthorized actions.
Look for earlier connections to the source which may cause it to initiate the session.
Investigate the root cause of the behavior and determine if it can be mitigated or blocked in the future.