Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1144: Analytic 1144

Detects anomalous NTLM LogonType 3 authentications that occur without accompanying domain logon events, especially from lateral systems or involving built-in administrative tools. Monitors for mismatches between source user context and system being accessed. Correlates LogonSession creation, NTLM authentications, and process/service initiation to identify suspicious use of stolen password hashes for remote access or service logon without password entry. Detects overpass-the-hash by combining Kerberos ticket issuance with NTLM-based lateral movement.

EnterpriseAN1144AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1144 is a Windows detection analytic focused on suspicious NTLM network logons that do not line up with expected domain logon activity. Its business value is in validating whether the organization can recognize credential misuse during lateral access, especially when built-in administrative tools or service activity make the behavior look operationally normal.

Executive priority

Prioritize this analytic where Windows domain credentials, administrative tooling, and lateral administration are material to business continuity. Leaders should ask whether SOC and incident response teams can correlate authentication, session creation, and service or process activity across hosts quickly enough to distinguish legitimate administration from stolen-hash-style access. This also supports audit and readiness discussions around identity monitoring, privileged access oversight, and evidence quality for Windows incident investigations.

Technical view

For Windows environments, validate correlation across NTLM LogonType 3 authentications, LogonSession creation, Kerberos ticket issuance, and subsequent process or service initiation on the accessed system. The supplied description emphasizes anomalous NTLM network logons without accompanying domain logon events, mismatches between source user context and destination system, lateral systems, and built-in administrative tools. Because no ATT&CK tactics or relationships were supplied, teams should treat this as a detection engineering validation item rather than infer a broader technique chain.

Likely telemetry

  • Windows authentication events showing NTLM network logons, especially LogonType 3
  • Domain logon evidence needed to compare expected versus missing accompanying logon activity
  • LogonSession creation records
  • Kerberos ticket issuance records for correlation with later NTLM-based access
  • Process creation telemetry on destination systems

Detection direction

  • Confirm that NTLM LogonType 3 events are collected from relevant Windows systems and can be correlated with domain logon and Kerberos ticket activity.
  • Tune for mismatches between the user context initiating access and the system being accessed, especially where built-in administrative tools or service activity follow the authentication.
  • Review false positives from legitimate remote administration, service accounts, scheduled tasks, and management tooling before escalating severity.
  • Validate time-window correlation among logon session creation, NTLM authentication, Kerberos issuance, and process or service initiation.
  • Identify blind spots where endpoint logs, domain authentication logs, or service/process telemetry are missing or retained for too short a period.

Mitigation priorities

  • Reduce unnecessary NTLM exposure where business operations allow, while preserving evidence needed for monitoring.
  • Harden and monitor privileged and service account usage, especially accounts used for remote administration.
  • Standardize approved remote administration paths so anomalous built-in tool usage is easier to distinguish.
  • Ensure SOC playbooks require source host, destination host, user context, authentication type, and follow-on process or service review.
  • Use this analytic as a control-validation input for identity monitoring, Windows logging, and incident response evidence readiness.
Analyst notes and limits

The object is a detection analytic, not a technique description. The strongest use is to test whether defenders can correlate identity and endpoint evidence for suspicious Windows NTLM lateral access patterns. The description specifically mentions stolen password hashes and overpass-the-hash detection logic, but the response should remain focused on defensive validation rather than offensive procedure.

No official detection logic, ATT&CK tactics, aliases, labels, or relationship context were supplied. Local baselines are required to separate legitimate administration from suspicious activity. Coverage cannot be assumed without confirming Windows authentication, Kerberos, session, process, and service telemetry availability.

Official MITRE ATT&CK definition

Analytic 1144

Detects anomalous NTLM LogonType 3 authentications that occur without accompanying domain logon events, especially from lateral systems or involving built-in administrative tools. Monitors for mismatches between source user context and system being accessed. Correlates LogonSession creation, NTLM authentications, and process/service initiation to identify suspicious use of stolen password hashes for remote access or service logon without password entry. Detects overpass-the-hash by combining Kerberos ticket issuance with NTLM-based lateral movement.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4e2472e8468042ac...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4e2472e84680…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1144
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use