windows_unusual_count_of_users_failed_to_authenticate_from_process.yml

author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4625
date: '2022-09-22'
description: 'The following analytic identifies a source process name failing to authenticate
  with multiple users. This behavior could represent an adversary performing a Password
  Spraying attack against an Active Directory environment to obtain initial access
  or elevate privileges. Event 4625 generates on domain controllers, member servers,
  and workstations when an account fails to logon. Logon Type 2 describes an iteractive
  logon attempt.

  The detection calculates the standard deviation for each host and leverages the
  3-sigma statistical rule to identify an unusual number of users. To customize this
  analytic, users can try different combinations of the `bucket` span time and the
  calculation of the `upperBound` field. This logic can be used for real time security
  monitoring as well as threat hunting exercises.

  This detection will trigger on the potenfially malicious host, perhaps controlled
  via a trojan or operated by an insider threat, from where a password spraying attack
  is being executed. This could be a domain controller as well as a member server
  or workstation.

  The analytics returned fields allow analysts to investigate the event further by
  providing fields like source process name, source account and attempted user accounts.'
how_to_implement: To successfully implement this search, you need to be ingesting
  Windows Event Logs from domain controllers aas well as member servers and workstations.
  The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs
  to be enabled.
id: 25bdb6cb-2e49-4d34-a93c-d6c567c122fe
known_false_positives: A process failing to authenticate with multiple users is not
  a common behavior for legitimate user sessions. Possible false positive scenarios
  include but are not limited to vulnerability scanners and missconfigured systems.
name: Windows Unusual Count Of Users Failed To Authenticate From Process
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
search: ' `wineventlog_security`  EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket
  span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName)
  as user by _time, ProcessName, SubjectUserName, Computer | eventstats
  avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName,
  SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts
  > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter` '
status: production
tags:
  analytic_story:
  - Active Directory Password Spraying
  - Insider Threat
  - Volt Typhoon
  asset_type: Endpoint
  confidence: 70
  impact: 70
  message: Potential password spraying attack from $Computer$
  mitre_attack_id:
  - T1110.003
  - T1110
  observable:
  - name: user
    type: User
    role:
    - Victim
  - name: Computer
    role:
    - Attacker
    type: Endpoint
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  required_fields:
  - _time
  - EventCode
  - Logon_Type
  - ProcessName
  - SubjectUserName
  - TargetUserName
  - Computer
  risk_score: 49
  security_domain: endpoint
tests:
- attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log
    source: XmlWinEventLog:Security
    sourcetype: XmlWinEventLog
  name: True Positive Test
type: Anomaly
version: 1