/
windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml
78 lines (76 loc) · 3.28 KB
/
windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4768
date: '2021-04-14'
description: 'The following analytic identifies one source endpoint failing to authenticate
with 30 unique disabled domain users using the Kerberos protocol within 5 minutes.
This behavior could represent an adversary performing a Password Spraying attack
against an Active Directory environment using Kerberos to obtain initial access
or elevate privileges. Active Directory environments can be very different depending
on the organization. Users should test this detection and customize the arbitrary
threshold when needed. As attackers progress in a breach, mistakes will be made.
In certain scenarios, adversaries may execute a password spraying attack against
disabled users. Event 4768 is generated every time the Key Distribution Center issues
a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients
credentials have been revoked` (account disabled, expired or locked out).
This logic can be used for real time security monitoring as well as threat hunting
exercises. This detection will only trigger on domain controllers, not on member
servers or workstations.
The analytics returned fields allow analysts to investigate the event further by
providing fields like source ip and attempted user accounts.'
how_to_implement: To successfully implement this search, you need to be ingesting
Domain Controller and Kerberos events. The Advanced Security Audit policy setting
`Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
id: 98f22d82-9d62-11eb-9fcf-acde48001122
known_false_positives: A host failing to authenticate with multiple disabled domain
users is not a common behavior for legitimate systems. Possible false positive scenarios
include but are not limited to vulnerability scanners, multi-user systems missconfigured
systems.
name: Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
references:
- https://attack.mitre.org/techniques/T1110/003/
search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket
span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName)
as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`'
status: production
tags:
analytic_story:
- Active Directory Password Spraying
- Active Directory Kerberos Attacks
- Volt Typhoon
asset_type: Endpoint
confidence: 70
impact: 70
message: Potential Kerberos based password spraying attack from $IpAddress$
mitre_attack_id:
- T1110.003
- T1110
observable:
- name: user
type: User
role:
- Victim
- name: IpAddress
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Status
- TargetUserName
- IpAddress
risk_score: 49
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
name: True Positive Test
type: TTP
version: 2