Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Rare authentication by user account to host via NTLM.
The user has not authenticated with NTLM in the past 30 days.
This may be indicative of downgrade attacks from Kerberos to NTLM.
Attacker's Goals
The attacker is attempting to move laterally within a compromised network.
Investigative actions
Verify any successful authentication for the user account referenced by the alert, as these can indicate the attacker managed to use the stolen credentials.