/
windows_local_administrator_credential_stuffing.yml
70 lines (70 loc) · 2.94 KB
/
windows_local_administrator_credential_stuffing.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Windows Local Administrator Credential Stuffing
id: 09555511-aca6-484a-b6ab-72cd03d73c34
version: 1
date: '2023-03-22'
author: Mauricio Velazco, Splunk
type: TTP
status: production
data_source:
- Windows Event Log Security 4624
- Windows Event Log Security 4625
description: The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically,
the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could
represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges.
As environments differ across organizations, security teams should customize the thresholds of this detection as needed.
search: ' `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator
| bucket span=5m _time
| stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode
| where unique_targets > 30
| `windows_local_administrator_credential_stuffing_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
Windows Event Logs from domain controllers as well as member servers and workstations.
The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs
to be enabled.
known_false_positives: Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.
references:
- https://attack.mitre.org/techniques/T1110/004/
- https://attack.mitre.org/techniques/T1110/
- https://www.blackhillsinfosec.com/wide-spread-local-admin-testing/
- https://www.pentestpartners.com/security-blog/admin-password-re-use-dont-do-it/
- https://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps/
- https://wiki.porchetta.industries/smb-protocol/password-spraying
tags:
analytic_story:
- Active Directory Privilege Escalation
- Active Directory Lateral Movement
asset_type: Endpoint
confidence: 80
impact: 70
message: Local Administrator credential stuffing attack coming from $IpAddress$
mitre_attack_id:
- T1110
- T1110.004
observable:
- name: host_targets
type: Endpoint
role:
- Victim
- name: IpAddress
type: Endpoint
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Logon_Type
- TargetUserName
- Computer
- IpAddress
risk_score: 56
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog