Pass-the-Hash Detected

Low False Positive

ALR-00300 · 2026-04-07T07:17:44Z

Description

Pass-the-Hash technique detected on AP-WIFI-03. NTLM authentication from 'h.roberts' without standard Kerberos ticket. Attack Surface Scanner flagged.

Alert Metadata

Alert ID: ALR-00300
Timestamp: 2026-04-07T07:17:44Z
Severity: Low
Status: False Positive
Detection Source: Attack Surface Scanner
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: AP-WIFI-03
User Account: h.roberts
Source IP: 103.84.216.199
Destination IP: 10.1.170.38
Origin Country: IR Iran

MITRE ATT&CK Mapping

Tactic: Lateral Movement
Technique: T1550.002
Reference: attack.mitre.org/techniques/T1550.002

Investigation Timeline

07:17:44 Event ingested by SOC365 Engine

07:17:45 EmilyAI triage started — correlation enrichment

07:17:50 EmilyAI confidence: 89% — escalated to human analyst

07:18:24 Alert assigned to analyst: EmilyAI (auto)

07:18:37 Investigation started — querying SIEM and threat intelligence

07:25:02 Containment action taken — endpoint isolated

07:32:58 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00397	3h ago	Brute Force SSH	Medium	Escalated	AP-WIFI-03
ALR-00016	9h ago	C2 Beacon Activity	Medium	Resolved	AP-WIFI-03
ALR-00029	10h ago	Pass-the-Hash Detected	Low	False Positive	WS-LAP-011
ALR-00228	10h ago	Certificate Anomaly	Low	False Positive	AP-WIFI-03
ALR-00236	12h ago	Pass-the-Hash Detected	Medium	False Positive	SRV-MAIL-01