LoFP / a host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.

Techniques

• T1110
• T1110.003

Sample rules

Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos

• source: splunk
• technicques:
  • T1110.003
  • T1110

Description

The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code 0x12, indicating revoked credentials. This activity is significant as it may indicate a Password Spraying attack targeting disabled accounts, a tactic used by adversaries to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a severe security risk.

Detection logic

`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 
| bucket span=5m _time 
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress 
| where unique_accounts > 30 
| `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`

Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos

• source: splunk
• technicques:
  • T1110.003
  • T1110

Description

The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x12 (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment.

Detection logic

`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 
| bucket span=5m _time 
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress 
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress 
| eval upperBound=(comp_avg+comp_std*3) 
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) 
| search isOutlier=1 
| `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter`