/
windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml
84 lines (81 loc) · 3.59 KB
/
windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4768
date: '2022-09-22'
description: 'The following analytic identifies one source endpoint failing to authenticate
with multiple disabled domain users using the Kerberos protocol. This behavior could
represent an adversary performing a Password Spraying attack against an Active Directory
environment using Kerberos to obtain initial access or elevate privileges. As attackers
progress in a breach, mistakes will be made. In certain scenarios, adversaries may
execute a password spraying attack against disabled users. Event 4768 is generated
every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket
(TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account
disabled, expired or locked out).
The detection calculates the standard deviation for each host and leverages the
3-sigma statistical rule to identify an unusual number of users. To customize this
analytic, users can try different combinations of the `bucket` span time and the
calculation of the `upperBound` field. This logic can be used for real time security
monitoring as well as threat hunting exercises.
This detection will only trigger on domain controllers, not on member servers or
workstations.
The analytics returned fields allow analysts to investigate the event further by
providing fields like source ip and attempted user accounts.'
how_to_implement: To successfully implement this search, you need to be ingesting
Domain Controller and Kerberos events. The Advanced Security Audit policy setting
`Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
id: f65aa026-b811-42ab-b4b9-d9088137648f
known_false_positives: A host failing to authenticate with multiple disabled domain
users is not a common behavior for legitimate systems. Possible false positive scenarios
include but are not limited to vulnerability scanners, multi-user systems missconfigured
systems.
name: Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
references:
- https://attack.mitre.org/techniques/T1110/003/
search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket
span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName)
as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg
, stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
| search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter` '
status: production
tags:
analytic_story:
- Active Directory Password Spraying
- Active Directory Kerberos Attacks
- Volt Typhoon
asset_type: Endpoint
confidence: 70
impact: 70
message: Potential Kerberos based password spraying attack from $IpAddress$
mitre_attack_id:
- T1110.003
- T1110
observable:
- name: user
type: User
role:
- Victim
- name: IpAddress
role:
- Attacker
type: Endpoint
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Status
- TargetUserName
- IpAddress
risk_score: 49
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
name: True Positive Test
type: Anomaly
version: 1