This analytic rule identifies when non-domain devices attempt to authenticate multiple times using NTLM (NT LAN Manager) targeting a Windows device that is part of a domain, specifically when leveraging a null domain. Such behavior is indicative of potential brute-force password attacks or password spraying attempts by an attacker. The detection relies on monitoring Windows EventID 8004, 8005, and 8006, which log NTLM authentication attempts. The implementation requires proper configuration of NTLM Operational logging for Domain Controllers to send the relevant events. The use of statistical analysis helps in identifying anomalous behavior (number of unique users and sources) that significantly deviates from normal patterns, thereby indicating possible malicious activities.