Analytics Alerts
Browse the Cortex analytics alert reference.
5 alerts match the current filters. tactic: TA0006 ✕ technique: T1187 ✕
Show ATT&CK heatmapPossible Distributed File System Namespace Management (DFSNM) abuse High
A possible abuse of Distributed File System Namespace Management (DFSNM).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker can abuse the Distributed File System Namespace Management protocol to coerce an authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Look for unusual AD CS certificate requests. Check for possible DCSync alerts.Possible authentication coercion Informational Identity Analytics 2 variations
An unusual Remote Procedure Call (RPC) was made to potentially cause authentication coercion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker can abuse Remote Procedure Calls to coerce authentication from servers.Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from {actor_remote_ip} to other servers in the network. Check for logged-in users to {actor_remote_ip} and investigate their actions. Check for indicators of compromise on {actor_remote_ip}.Variations
Possible authentication coercion from an unconstrained delegation server to a sensitive server
Medium overridden
An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden
Possible authentication coercion to a sensitive server
Low overridden
An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden
Suspicious NTLM authentication with machine account Informational Identity Analytics 1 variation
A suspicious NTLM authentication attempt was made by a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: An attacker aims to exploit authentication protocols to steal credentials and enable lateral movement within the network.Investigative actions: Identify the source and target users and hosts involved in the NTLM authentication attempt. Monitor the users associated with the authentication for any further suspicious activities or unauthorized actions. Look for earlier connections to the source which may cause it to initiate the session. Investigate the root cause of the behavior and determine if it can be mitigated or blocked in the future.Variations
Rare and sensitive NTLM authentication with machine account
Low overridden
A rare and sensitive NTLM authentication attempt was made by a machine account. overridden
Suspicious Print System Remote Protocol usage by a process Low Identity Analytics
A host which is trusted for unconstrained delegation initiated an SMB connection to a DC using the Print System Remote Protocol. An attacker can abuse such sessions for relay attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if the suspected account is compromised. Check if the source machine is trusted for unconstrained delegation and verify that the machine's configuration should stay that way. Follow actions by the account and if it performed a DCSync.Unusual Encrypting File System Remote call (EFSRPC) to domain controller Low Identity Analytics 3 variations
An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker can abuse the Encrypting File System Remote Protocol to coerce authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from the server of the requested file location (it may be a relay server). Look for unusual AD CS certificate requests. Look for following suspicious connections using the DC machine account. Check for possible DCSync alerts.Variations
A suspicious Encrypting File System Remote call (EFSRPC) was made to a domain controller
Medium overridden
An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden
Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo for the first time
Low overridden
An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller for the first time. overridden
Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo
Informational overridden
An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden