NTLM Password Spray

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Informational

Description

A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time.
This may be indicative of a NTLM password spray attack.

Attacker's Goals

The attacker may attempt to guess user credential by password spray attack over multiple machines.

Investigative actions

Verify any successful authentication made by one of the user accounts referenced by the alert, as these may indicate the attacker managed to guess the credentials.

Variations

NTLM password spray on a sensitive entity

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Low

Description

A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time on a sensitive entity.
This may be indicative of a NTLM password spray attack.

Attacker's Goals

The attacker may attempt to guess user credential by password spray attack over multiple machines.

Investigative actions

Verify any successful authentication made by one of the user accounts referenced by the alert, as these may indicate the attacker managed to guess the credentials.