Name:Windows Unusual Count Of Users Failed To Authenticate Using NTLM id:6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4 version:4 date:2024-09-30 author:Mauricio Velazco, Splunk status:production type:Anomaly Description:The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network. Data_source:
-Windows Event Log Security 4776
search:`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. known_false_positives:A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. References: -https://attack.mitre.org/techniques/T1110/003/ -https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation -https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 drilldown_searches: name:'View the detection results for - "$Workstation$"' search:'%original_detection_search% | search Workstation = "$Workstation$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$Workstation$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Active Directory Password Spraying' - 'Volt Typhoon' asset_type:Endpoint confidence:70 impact:70 message:Potential NTLM based password spraying attack from $Workstation$ mitre_attack_id: - 'T1110.003' - 'T1110' observable: name:'Workstation' - role: - 'Victim' type:'Endpoint' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'Status' - 'TargetUserName' - 'Workstation' risk_score:49 security_domain:endpoint
