/
windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml
89 lines (86 loc) · 3.99 KB
/
windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4776
date: '2022-09-22'
description: 'The following analytic identifies one source endpoint failing to authenticate
with multiple invalid users using the NTLM protocol. This behavior could represent
an adversary performing a Password Spraying attack against an Active Directory environment
using NTLM to obtain initial access or elevate privileges. As attackers progress
in a breach, mistakes will be made. In certain scenarios, adversaries may execute
a password spraying attack using an invalid list of users. Event 4776 is generated
on the computer that is authoritative for the provided credentials. For domain accounts,
the domain controller is authoritative. For local accounts, the local computer is
authoritative. Error code 0xC0000064 stands for `The username you typed does not
exist` (the attempted user is a legitimate domain user).
The detection calculates the standard deviation for each host and leverages the
3-sigma statistical rule to identify an unusual number of users. To customize this
analytic, users can try different combinations of the `bucket` span time and the
calculation of the `upperBound` field. This logic can be used for real time security
monitoring as well as threat hunting exercises.
This detection will only trigger on domain controllers, not on member servers or
workstations.
The analytics returned fields allow analysts to investigate the event further by
providing fields like source workstation name and attempted user accounts.'
how_to_implement: To successfully implement this search, you need to be ingesting
Domain Controller events. The Advanced Security Audit policy setting `Audit Credential
Validation' within `Account Logon` needs to be enabled.
id: 15603165-147d-4a6e-9778-bd0ff39e668f
known_false_positives: A host failing to authenticate with multiple invalid domain
users is not a common behavior for legitimate systems. Possible false positive scenarios
include but are not limited to vulnerability scanners and missconfigured systems.
If this detection triggers on a host other than a Domain Controller, the behavior
could represent a password spraying attack against the host's local accounts.
name: Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
search: ' `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064
| bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName)
as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg
, stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
| search isOutlier=1
| rename Workstation as src
|`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`'
status: production
tags:
analytic_story:
- Active Directory Password Spraying
- Volt Typhoon
asset_type: Endpoint
confidence: 70
impact: 70
message: Potential NTLM based password spraying attack from $src$
mitre_attack_id:
- T1110.003
- T1110
observable:
- name: user
type: User
role:
- Victim
- name: src
type: Endpoint
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- TargetUserName
- Workstation
- Status
risk_score: 49
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
name: True Positive Test
type: Anomaly
version: 1