Potential NTLM Relay Attack

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-06-10

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Credential Access (TA0006) Lateral Movement (TA0008)
ATT&CK Technique	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
Severity	Informational

Description

Multiple NTLM authentications were made to the same workstation and user from different IPs.
This might indicate a potential NTLM Relay attack.

Attacker's Goals

The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.

Investigative actions

Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior.
Check if the workstation supports weak, outdated versions of NTLM.
Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised.
Check for process activity to and from the suspicious IP address to verify if it was compromised.
Check for changes in the network configurations, including indicators of poisoning attacks.
Monitor closely the actions of the potentially compromised user account for any anomalous behavior.

Variations

NTLM Relay Attack using a sensitive user and a vulnerable package

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs using a vulnerable NTLM package.
This might indicate a potential NTLM Relay attack.

Attacker's Goals

The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.

Investigative actions

Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior.
Check if the workstation supports weak, outdated versions of NTLM.
Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised.
Check for process activity to and from the suspicious IP address to verify if it was compromised.
Check for changes in the network configurations, including indicators of poisoning attacks.
Monitor closely the actions of the potentially compromised user account for any anomalous behavior.

Potential NTLM Relay Attack using a vulnerable package

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Multiple NTLM authentications were made to the same workstation and user from different IPs using a vulnerable NTLM package.
This might indicate a potential NTLM Relay attack.

Attacker's Goals

The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.

Investigative actions

Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior.
Check if the workstation supports weak, outdated versions of NTLM.
Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised.
Check for process activity to and from the suspicious IP address to verify if it was compromised.
Check for changes in the network configurations, including indicators of poisoning attacks.
Monitor closely the actions of the potentially compromised user account for any anomalous behavior.

Potential NTLM Relay Attack using a sensitive user

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs.
This might indicate a potential NTLM Relay attack.

Attacker's Goals

The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.

Investigative actions

Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior.
Check if the workstation supports weak, outdated versions of NTLM.
Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised.
Check for process activity to and from the suspicious IP address to verify if it was compromised.
Check for changes in the network configurations, including indicators of poisoning attacks.
Monitor closely the actions of the potentially compromised user account for any anomalous behavior.