Rare NTLM Usage by User

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Use Alternate Authentication Material (T1550)

Severity

Informational

Description

Rare authentication by user account to host via NTLM.
The user has not authenticated with NTLM in the past 30 days.
This may be indicative of downgrade attacks from Kerberos to NTLM.

Attacker's Goals

The attacker is attempting to move laterally within a compromised network.

Investigative actions

Verify any successful authentication for the user account referenced by the alert, as these can indicate the attacker managed to use the stolen credentials.