Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Description
The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-05-19
- Author: Mauricio Velazco, Splunk
- ID: 15603165-147d-4a6e-9778-bd0ff39e668f
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064
| bucket span=2m _time
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
| search isOutlier=1
| rename Workstation as src
|`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`
Macros
The SPL above uses the following Macros:
windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- EventCode
- TargetUserName
- Workstation
- Status
How To Implement
To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting Audit Credential Validation' within
Account Logon` needs to be enabled.
Known False Positives
A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
49.0 | 70 | 70 | Potential NTLM based password spraying attack from $src$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2