Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM

Try in Splunk Security Cloud

Description

The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-05-19
• Author: Mauricio Velazco, Splunk
• ID: 15603165-147d-4a6e-9778-bd0ff39e668f

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1110.003	Password Spraying	Credential Access

T1110

Brute Force

Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

 `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 
| bucket span=2m _time 
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation 
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation 
| eval upperBound=(comp_avg+comp_std*3) 
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) 
| search isOutlier=1 
| rename Workstation as src 
|`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`

Macros

The SPL above uses the following Macros:

• wineventlog_security

windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• EventCode
• TargetUserName
• Workstation
• Status

How To Implement

To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting Audit Credential Validation' within Account Logon` needs to be enabled.

Known False Positives

A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.

Associated Analytic Story

• Active Directory Password Spraying
• Volt Typhoon

RBA

Risk Score	Impact	Confidence	Message
49.0	70	70	Potential NTLM based password spraying attack from $src$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1110/003/
• https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
• https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2