Name:Windows Rapid Authentication On Multiple Hosts id:62606c77-d53d-4182-9371-b02cdbbbcef7 version:4 date:2024-09-30 author:Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network. Data_source:
-Windows Event Log Security 4624
search:`wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. known_false_positives:Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. References: -https://attack.mitre.org/techniques/T1135/ -https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ -https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 drilldown_searches: name:'View the detection results for - "$host_targets$"' search:'%original_detection_search% | search host_targets = "$host_targets$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$host_targets$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Active Directory Privilege Escalation' - 'Active Directory Lateral Movement' asset_type:Endpoint confidence:80 impact:60 message:The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes. mitre_attack_id: - 'T1003.002' observable: name:'host_targets' type:'Endpoint' - role: - 'Victim' name:'IpAddress' type:'Endpoint' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'Logon_Type' - 'TargetUserName' - 'Computer' - 'IpAddress' risk_score:48 security_domain:endpoint
