GitHub Repo

Data Source: NTLM Operational 8004

Date: 2025-02-21

ID: fd08cb77-c26e-464c-a43e-2867e232127e

Author: Bhavin Patel, Splunk

Description

Data source object for NTLM Operational 8004

Details

Property Value
Source XmlWinEventLog:Microsoft-Windows-NTLM/Operational
Sourcetype XmlWinEventLog:Microsoft-Windows-NTLM/Operational
Separator EventCode
Name ▲▼ Technique ▲▼ Type ▲▼
Windows Multiple NTLM Null Domain Authentications Password Spraying TTP
Windows Unusual NTLM Authentication Destinations By Source Password Spraying Anomaly
Windows Unusual NTLM Authentication Destinations By User Password Spraying Anomaly
Windows Unusual NTLM Authentication Users By Destination Password Spraying Anomaly
Windows Unusual NTLM Authentication Users By Source Password Spraying Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">CategoryString</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">DomainName</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image_File_Name</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RenderingInfo_Xml</span>
  
  <span class="pill kill-chain">SChannelName</span>
  
  <span class="pill kill-chain">SChannelType</span>
  
  <span class="pill kill-chain">SourceName</span>
  
  <span class="pill kill-chain">SubStatus</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">TaskCategory</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UserName</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">WorkstationName</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">parent_process</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">service</span>
  
  <span class="pill kill-chain">service_id</span>
  
  <span class="pill kill-chain">service_name</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_group_id</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">_bkt</span>
  
  <span class="pill kill-chain">_cd</span>
  
  <span class="pill kill-chain">_eventtype_color</span>
  
  <span class="pill kill-chain">_indextime</span>
  
  <span class="pill kill-chain">_raw</span>
  
  <span class="pill kill-chain">_serial</span>
  
  <span class="pill kill-chain">_si</span>
  
  <span class="pill kill-chain">_sourcetype</span>
  
  <span class="pill kill-chain">_subsecond</span>
  
  <span class="pill kill-chain">_time</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Netlogon' Guid='{E5BA83F6-07D0-46B1-8BC7-7E669A1D31DC}'/><EventID>8004</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2024-01-18T05:04:59.727635000Z'/><EventRecordID>2728229667</EventRecordID><Correlation/><Execution ProcessID='812' ThreadID='3684'/><Channel>Microsoft-Windows-NTLM/Operational</Channel><Computer>attack_dc.attack_range.lan</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='SChannelName'>VICTIM_PC</Data><Data Name='UserName'>backup</Data><Data Name='DomainName'>NULL</Data><Data Name='WorkstationName'>WIN-SHKRDLDI338</Data><Data Name='SChannelType'>2</Data></EventData></Event>

Source: GitHub | Version: 1