/
windows_unusual_count_of_users_failed_to_authenticate_from_process.yml
88 lines (85 loc) · 3.85 KB
/
windows_unusual_count_of_users_failed_to_authenticate_from_process.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4625
date: '2022-09-22'
description: 'The following analytic identifies a source process name failing to authenticate
with multiple users. This behavior could represent an adversary performing a Password
Spraying attack against an Active Directory environment to obtain initial access
or elevate privileges. Event 4625 generates on domain controllers, member servers,
and workstations when an account fails to logon. Logon Type 2 describes an iteractive
logon attempt.
The detection calculates the standard deviation for each host and leverages the
3-sigma statistical rule to identify an unusual number of users. To customize this
analytic, users can try different combinations of the `bucket` span time and the
calculation of the `upperBound` field. This logic can be used for real time security
monitoring as well as threat hunting exercises.
This detection will trigger on the potenfially malicious host, perhaps controlled
via a trojan or operated by an insider threat, from where a password spraying attack
is being executed. This could be a domain controller as well as a member server
or workstation.
The analytics returned fields allow analysts to investigate the event further by
providing fields like source process name, source account and attempted user accounts.'
how_to_implement: To successfully implement this search, you need to be ingesting
Windows Event Logs from domain controllers aas well as member servers and workstations.
The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs
to be enabled.
id: 25bdb6cb-2e49-4d34-a93c-d6c567c122fe
known_false_positives: A process failing to authenticate with multiple users is not
a common behavior for legitimate user sessions. Possible false positive scenarios
include but are not limited to vulnerability scanners and missconfigured systems.
name: Windows Unusual Count Of Users Failed To Authenticate From Process
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
search: ' `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket
span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName)
as user by _time, ProcessName, SubjectUserName, Computer | eventstats
avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName,
SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts
> 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter` '
status: production
tags:
analytic_story:
- Active Directory Password Spraying
- Insider Threat
- Volt Typhoon
asset_type: Endpoint
confidence: 70
impact: 70
message: Potential password spraying attack from $Computer$
mitre_attack_id:
- T1110.003
- T1110
observable:
- name: user
type: User
role:
- Victim
- name: Computer
role:
- Attacker
type: Endpoint
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Logon_Type
- ProcessName
- SubjectUserName
- TargetUserName
- Computer
risk_score: 49
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
name: True Positive Test
type: Anomaly
version: 1