Techniques
Sample rules
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
- source: splunk
- technicques:
- T1110.003
- T1110
Description
The following analytic identifies one source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x12 stands for clients credentials have been revoked (account disabled, expired or locked out).
This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.
The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.
Detection logic
`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12
| bucket span=5m _time
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress
| where unique_accounts > 30
| `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
- source: splunk
- technicques:
- T1110.003
- T1110
Description
The following analytic identifies one source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x12 stands for clients credentials have been revoked (account disabled, expired or locked out).
The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises.
This detection will only trigger on domain controllers, not on member servers or workstations.
The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.
Detection logic
`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12
| bucket span=5m _time
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
| search isOutlier=1
| `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter`