Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

18 alerts match the current filters. tactic: TA0008 ✕ technique: T1550 ✕

Show ATT&CK heatmap
  • A user authenticated with weak NTLM to multiple hosts Informational Identity Analytics

    A user account authenticated to multiple hosts via NTLMv1 or LM authentication for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage. Investigate the mentioned user for additional suspicious activity.
  • Abnormal User Login to Domain Controller Informational Identity Analytics 4 variations

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078) Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: A malicious user may attempt to access a domain controller to access and control Active Directory.
    Investigative actions: Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller. Check if the user is a service account that accesses a domain controller as part of its normal behavior. Verify that the user is not authenticating to group policy.

    Variations

    Rare RDP User Login to Domain Controller by an Abnormal Department

    Medium overridden

    A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    Abnormal RDP User Login to Domain Controller

    Low overridden

    A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    RDP User Login to Domain Controller

    Informational overridden

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    Abnormal User Login to Domain Controller by an Abnormal Department

    Informational overridden

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

  • Machine Account NTLM Relay Low

    An NTLM NTProofStr was seen from more than one source. This indicates that machine account NTLM authentication data has been relayed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.
  • Multiple users authenticated with weak NTLM to a host Informational Identity Analytics

    Multiple user accounts authenticated to a host via NTLMv1 or LM authentication for the first time in the past 30 days. This may be a result of an NTLM downgrade attackA downgrade attack may force the client to authenticate with a weaker hash/protocol (such as NTLMv1 or even LM) instead of NTLMv2.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage. Investigate the mentioned host for additional suspicious activity.
  • NTLM Relay Informational

    An NTLM NTProofStr was seen from more than one source. This indicates that NTLM authentication data has been relayed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.
  • PKINIT TGT authentication request Informational Identity Analytics 2 variations

    A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)
    ATT&CK techniques: Use Alternate Authentication Material (T1550) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.
    Investigative actions: Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity. Inspect the Key Credentials attribute of the target account for recent modifications. Review associated service tickets or lateral movement activities tied to the target account. Investigate unusual certificate issuance or PKI activities.

    Variations

    Suspicious PKINIT TGT authentication request

    Medium overridden

    A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden

    Abnormal PKINIT TGT authentication request

    Low overridden

    A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden

  • Possible Pass-the-Hash Low Identity Analytics

    An account was successfully logged on to with new credentials. This login type is rare and may be an attacker's attempt to pass-the-hash and move laterally within a network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to steal credentials and move laterally within a network.
    Investigative actions: Audit all login events and review for discrepancies. Look for LSASS process access, an indication of an attacker attempting to obtain password hashes. Check for the RunAs command with the /netonly option.
  • Possible TGT reuse from different hosts (pass the ticket) Informational Identity Analytics 1 variation

    We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material: Pass the Ticket (T1550.003)
    Required data: XDR Agent
    Attacker's goals: Lateral movement using stolen user-account credentials.
    Investigative actions: Check if the mentioned hosts are not the same, and investigate if the ticket was stolen from one of them.

    Variations

    TGT reuse from different hosts (pass the ticket)

    Low overridden

    We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host. overridden

  • Potential NTLM Relay Attack Informational Identity Analytics 3 variations

    Multiple NTLM authentications were made to the same workstation and user from different IPs.This might indicate a potential NTLM Relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the workstation supports weak, outdated versions of NTLM. Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised. Check for process activity to and from the suspicious IP address to verify if it was compromised. Check for changes in the network configurations, including indicators of poisoning attacks. Monitor closely the actions of the potentially compromised user account for any anomalous behavior.

    Variations

    NTLM Relay Attack using a sensitive user and a vulnerable package

    Medium overridden

    Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden

    Potential NTLM Relay Attack using a vulnerable package

    Low overridden

    Multiple NTLM authentications were made to the same workstation and user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden

    Potential NTLM Relay Attack using a sensitive user

    Low overridden

    Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs.This might indicate a potential NTLM Relay attack. overridden

  • Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server Informational Identity Analytics 1 variation

    Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs in a short period of time.This might indicate a potential NTLM Relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may coerce the SCCM site server to authenticate to a malicious host and relay it to escalate privileges and move laterally across site systems.
    Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack. Check for network activity to and from the suspicious IP address to verify if it is a compromised machine. Monitor closely the actions of the potentially compromised user account for any anomalous behavior, especially suspicious SCCM-related activity occurring near the time of the alert.

    Variations

    Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server using a vulnerable package

    Low overridden

    Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs using a vulnerable NTLM package in a short period of time.This might indicate a potential NTLM Relay attack. overridden

  • Potential creation of persistent cloud credentials Informational Cloud

    A cloud identity invoked a credential-related persistence operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)
    Required data: AWS Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.
  • Rare NTLM Access By User To Host Informational Identity Analytics

    An unusual NTLM authentication attempt by a user to a host. This may indicate the use of stolen credentials or access tokens to access restricted hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may be attempting lateral movement within a compromised network.
    Investigative actions: Verify any successful authentication for the user account referenced by the alert, as this could indicate the attacker has used stolen credentials.
  • Rare NTLM Usage by User Informational Identity Analytics

    Rare authentication by user account to host via NTLM.The user has not authenticated with NTLM in the past 30 days.This may be indicative of downgrade attacks from Kerberos to NTLM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: The attacker is attempting to move laterally within a compromised network.
    Investigative actions: Verify any successful authentication for the user account referenced by the alert, as these can indicate the attacker managed to use the stolen credentials.
  • Remote usage of an AWS service token Low Cloud 1 variation

    An AWS service token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate a token and abuse it remotely.
    Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.

    Variations

    Suspicious usage of AWS service token

    Medium overridden

    An AWS service token was used externally of the cloud environment. overridden

  • Suspicious Encrypting File System Remote call (EFSRPC) to domain controller Medium

    An Encrypting File System Remote call (EFSRPC) was made to a domain controller.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is attempting to steal credentials and move laterally within a network.
    Investigative actions: Check for suspicious processes on the host. Check if the source host is a vulnerability scanner. Look for following suspicious connections using the DC machine account.
  • Suspicious SMB connection from domain controller Low

    A domain controller has initiated an SMB connection to another host. The domain controllers usually communicate over SMB only with other domain controllers. An attacker can abuse such sessions for relay attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: An attacker is attempting to steal credentials and move laterally within a network.
    Investigative actions: Check if the destination is domain controller, if it is, exclude it. Look for earlier connections to the DC, which may cause it to initiate the session.
  • Suspicious usage of File Server Remote VSS Protocol (FSRVP) High

    A suspicious usage of File Server Remote VSS Protocol (FSRVP) was done.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to steal credentials and move laterally within a network.
    Investigative actions: Check for suspicious processes on the source host. Check if the source host is a vulnerability scanner. Look for additional suspicious activities by users.
  • Unusual weak authentication by user Informational Identity Analytics

    A user account authenticated to a host via NTLMv1 or LM authentication for the first time in the past 30 days. This may be indicative of an NTLM downgrade attackA downgrade attack may force the client to authenticate with a weaker hash/protocol (such as NTLMv1 or even LM) instead of NTLMv2.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage.