Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

6 alerts match the current filters. tactic: TA0006 ✕ technique: T1550 ✕

Show ATT&CK heatmap
  • Machine Account NTLM Relay Low

    An NTLM NTProofStr was seen from more than one source. This indicates that machine account NTLM authentication data has been relayed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.
  • NTLM Relay Informational

    An NTLM NTProofStr was seen from more than one source. This indicates that NTLM authentication data has been relayed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.
  • Potential NTLM Relay Attack Informational Identity Analytics 3 variations

    Multiple NTLM authentications were made to the same workstation and user from different IPs.This might indicate a potential NTLM Relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the workstation supports weak, outdated versions of NTLM. Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised. Check for process activity to and from the suspicious IP address to verify if it was compromised. Check for changes in the network configurations, including indicators of poisoning attacks. Monitor closely the actions of the potentially compromised user account for any anomalous behavior.

    Variations

    NTLM Relay Attack using a sensitive user and a vulnerable package

    Medium overridden

    Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden

    Potential NTLM Relay Attack using a vulnerable package

    Low overridden

    Multiple NTLM authentications were made to the same workstation and user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden

    Potential NTLM Relay Attack using a sensitive user

    Low overridden

    Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs.This might indicate a potential NTLM Relay attack. overridden

  • Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server Informational Identity Analytics 1 variation

    Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs in a short period of time.This might indicate a potential NTLM Relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may coerce the SCCM site server to authenticate to a malicious host and relay it to escalate privileges and move laterally across site systems.
    Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack. Check for network activity to and from the suspicious IP address to verify if it is a compromised machine. Monitor closely the actions of the potentially compromised user account for any anomalous behavior, especially suspicious SCCM-related activity occurring near the time of the alert.

    Variations

    Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server using a vulnerable package

    Low overridden

    Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs using a vulnerable NTLM package in a short period of time.This might indicate a potential NTLM Relay attack. overridden

  • Potential creation of persistent cloud credentials Informational Cloud

    A cloud identity invoked a credential-related persistence operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)
    Required data: AWS Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.
  • Remote usage of an AWS service token Low Cloud 1 variation

    An AWS service token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate a token and abuse it remotely.
    Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.

    Variations

    Suspicious usage of AWS service token

    Medium overridden

    An AWS service token was used externally of the cloud environment. overridden