/
windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml
84 lines (81 loc) · 3.63 KB
/
windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4771
date: '2022-09-22'
description: 'The following analytic identifies one source endpoint failing to authenticate
with multiple valid users using the Kerberos protocol. This behavior could represent
an adversary performing a Password Spraying attack against an Active Directory environment
using Kerberos to obtain initial access or elevate privileges. Event 4771 is generated
when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket
(TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user
is a legitimate domain user).
The detection calculates the standard deviation for each host and leverages the
3-sigma statistical rule to identify an unusual number of users. To customize this
analytic, users can try different combinations of the `bucket` span time and the
calculation of the `upperBound` field. This logic can be used for real time security
monitoring as well as threat hunting exercises.
This detection will only trigger on domain controllers, not on member servers or
workstations.
The analytics returned fields allow analysts to investigate the event further by
providing fields like source ip and attempted user accounts.'
how_to_implement: To successfully implement this search, you need to be ingesting
Domain Controller and Kerberos events. The Advanced Security Audit policy setting
`Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
id: bc9cb715-08ba-40c3-9758-6e2b26e455cb
known_false_positives: A host failing to authenticate with multiple valid domain users
is not a common behavior for legitimate systems. Possible false positive scenarios
include but are not limited to vulnerability scanners, missconfigured systems and
multi-user systems like Citrix farms.
name: Windows Unusual Count Of Users Failed To Auth Using Kerberos
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
search: '`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 |
bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName)
as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg
, stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
| search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`'
status: production
tags:
analytic_story:
- Active Directory Password Spraying
- Active Directory Kerberos Attacks
- Volt Typhoon
asset_type: Endpoint
confidence: 70
impact: 70
message: Potential Kerberos based password spraying attack from $IpAddress$
mitre_attack_id:
- T1110.003
- T1110
observable:
- name: user
type: User
role:
- Victim
- name: IpAddress
role:
- Attacker
type: Endpoint
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Status
- TargetUserName
- IpAddress
risk_score: 49
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
name: True Positive Test
type: Anomaly
version: 1