Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

5 alerts match the current filters. tactic: TA0006 ✕ technique: T1187 ✕

Show ATT&CK heatmap
  • Possible Distributed File System Namespace Management (DFSNM) abuse High

    A possible abuse of Distributed File System Namespace Management (DFSNM).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker can abuse the Distributed File System Namespace Management protocol to coerce an authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.
    Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Look for unusual AD CS certificate requests. Check for possible DCSync alerts.
  • Possible authentication coercion Informational Identity Analytics 2 variations

    An unusual Remote Procedure Call (RPC) was made to potentially cause authentication coercion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker can abuse Remote Procedure Calls to coerce authentication from servers.
    Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from {actor_remote_ip} to other servers in the network. Check for logged-in users to {actor_remote_ip} and investigate their actions. Check for indicators of compromise on {actor_remote_ip}.

    Variations

    Possible authentication coercion from an unconstrained delegation server to a sensitive server

    Medium overridden

    An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden

    Possible authentication coercion to a sensitive server

    Low overridden

    An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden

  • Suspicious NTLM authentication with machine account Informational Identity Analytics 1 variation

    A suspicious NTLM authentication attempt was made by a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: An attacker aims to exploit authentication protocols to steal credentials and enable lateral movement within the network.
    Investigative actions: Identify the source and target users and hosts involved in the NTLM authentication attempt. Monitor the users associated with the authentication for any further suspicious activities or unauthorized actions. Look for earlier connections to the source which may cause it to initiate the session. Investigate the root cause of the behavior and determine if it can be mitigated or blocked in the future.

    Variations

    Rare and sensitive NTLM authentication with machine account

    Low overridden

    A rare and sensitive NTLM authentication attempt was made by a machine account. overridden

  • Suspicious Print System Remote Protocol usage by a process Low Identity Analytics

    A host which is trusted for unconstrained delegation initiated an SMB connection to a DC using the Print System Remote Protocol. An attacker can abuse such sessions for relay attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if the suspected account is compromised. Check if the source machine is trusted for unconstrained delegation and verify that the machine's configuration should stay that way. Follow actions by the account and if it performed a DCSync.
  • Unusual Encrypting File System Remote call (EFSRPC) to domain controller Low Identity Analytics 3 variations

    An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker can abuse the Encrypting File System Remote Protocol to coerce authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.
    Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from the server of the requested file location (it may be a relay server). Look for unusual AD CS certificate requests. Look for following suspicious connections using the DC machine account. Check for possible DCSync alerts.

    Variations

    A suspicious Encrypting File System Remote call (EFSRPC) was made to a domain controller

    Medium overridden

    An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden

    Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo for the first time

    Low overridden

    An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller for the first time. overridden

    Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo

    Informational overridden

    An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden