ID | Technique | Tactic |
---|---|---|
T1078 | Valid Accounts | Defense Evasion |
T1078.003 | Local Accounts | Initial Access |
Detection: Detect Excessive User Account Lockouts
Description
The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.
Search
1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.user All_Changes.result
3|`drop_dm_object_name("All_Changes")`
4|`drop_dm_object_name("Account_Management")`
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| search count > 5
8| `detect_excessive_user_account_lockouts_filter`
Data Source
Name | Platform | Sourcetype | Source | Supported App |
---|---|---|---|---|
N/A | N/A | N/A | N/A | N/A |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
detect_excessive_user_account_lockouts_filter | search * |
detect_excessive_user_account_lockouts_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | True |
Implementation
ou must ingest your Windows security event logs in the Change
datamodel under the nodename is Account_Management
, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.
Known False Positives
It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
Excessive user account lockouts for $user$ in a short period of time | 36 | 60 | 60 |
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 6