Detection: Windows Unusual NTLM Authentication Users By Destination

Description

The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device.

Search

 1`ntlm_audit`
 2EventCode = 8004
 3SChannelName=*
 4WorkstationName=*
 5```CIM alignment, remove leading \\ from some auth attempts ```
 6
 7| eval src = replace(WorkstationName,"\\\\","")
 8
 9| eval dest = SChannelName, user = UserName
10
11``` Remove NTLM auths to self, improves accuracy for certain applications ```
12
13| where SChannelName!=src
14
15
16| stats count min(_time) as firstTime
17              max(_time) as lastTime
18              dc(eval(upper(user))) as unique_count by dest
19
20
21| eventstats avg(unique_count) as unique_avg
22             stdev(unique_count) as unique_std
23
24```adjust formula for sensitivity```
25
26| eval upperBound_unique=(1+unique_avg+unique_std*3)
27
28
29| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0)
30
31| where isOutlier==1
32
33| `security_content_ctime(firstTime)`
34
35| `security_content_ctime(lastTime)`
36
37| `windows_unusual_ntlm_authentication_users_by_destination_filter`

Data Source

Name	Platform	Sourcetype	Source
NTLM Operational 8004	Windows	'XmlWinEventLog:Microsoft-Windows-NTLM/Operational'	'XmlWinEventLog:Microsoft-Windows-NTLM/Operational'
NTLM Operational 8005	Windows	'XmlWinEventLog:Microsoft-Windows-NTLM/Operational'	'XmlWinEventLog:Microsoft-Windows-NTLM/Operational'
NTLM Operational 8006	Windows	'XmlWinEventLog:Microsoft-Windows-NTLM/Operational'	'XmlWinEventLog:Microsoft-Windows-NTLM/Operational'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

The following analytic detects when an unusual number of NTLM authentications is attempted against the same destination. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well.

Known False Positives

Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.

Associated Analytic Story

• Active Directory Password Spraying

Risk Based Analytics (RBA)

Risk Message:

The device [$dest$] was the target of $count$ NTLM authentications using $unique_count$ unique user accounts.

References

• https://attack.mitre.org/techniques/T1110/003/

• https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191

• https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827

• https://www.varonis.com/blog/investigate-ntlm-brute-force

• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 7