/
unusual_number_of_remote_endpoint_authentication_events.yml
59 lines (59 loc) · 2.77 KB
/
unusual_number_of_remote_endpoint_authentication_events.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
name: Unusual Number of Remote Endpoint Authentication Events
id: acb5dc74-5324-11ec-a36d-acde48001122
version: 1
date: '2021-12-01'
author: Mauricio Velazco, Splunk
status: experimental
type: Hunting
description: 'The following hunting analytic leverages Event ID 4624, `An account
was successfully logged on`, to identify an unusual number of remote authentication
attempts coming from one source. An endpoint authenticating to a large number of
remote endpoints could represent malicious behavior like lateral movement, malware
staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises.'
data_source:
- Windows Event Log Security 4624
search: ' `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" |
eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName)
AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address,
Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets)
as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) |
`unusual_number_of_remote_endpoint_authentication_events_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
Windows Event Logs from domain controllers as well as member servers and workstations.
The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs
to be enabled.
known_false_positives: An single endpoint authenticating to a large number of hosts
is not common behavior. Possible false positive scenarios include but are not limited
to vulnerability scanners, jump servers and missconfigured systems.
references:
- https://attack.mitre.org/techniques/T1078/
tags:
analytic_story:
- Active Directory Lateral Movement
- Active Directory Privilege Escalation
asset_type: Endpoint
confidence: 60
impact: 70
message: Unusual number of remote authentication events from $Source_Network_Address$
mitre_attack_id:
- T1078
observable:
- name: target_hosts
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Logon_Type
- Caller_Process_Name
- Security_ID
- Account_Name
- ComputerName
risk_score: 42
security_domain: endpoint