LoFP / a host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.

• T1110
• T1110.003

Sample rules

Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos

• source: splunk
• technicques:
  • T1110.003
  • T1110

Description

The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found in the Kerberos database. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access and potential privilege escalation within the Active Directory environment.

Detection logic

`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 
| bucket span=5m _time 
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress 
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress 
| eval upperBound=(comp_avg+comp_std*3) 
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) 
| search isOutlier=1 
| `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter`

Windows Multiple Invalid Users Fail To Authenticate Using Kerberos

• source: splunk
• technicques:
  • T1110.003
  • T1110

Description

The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the user is not found in the Kerberos database. This activity is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a significant security risk.

Detection logic

`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 
| bucket span=5m _time 
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress 
| where unique_accounts > 30 
| `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter`

Windows Multiple Invalid Users Failed To Authenticate Using NTLM

• source: splunk
• technicques:
  • T1110.003
  • T1110

Description

The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.

Detection logic

`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 
| bucket span=5m _time 
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation 
| where unique_accounts > 30 
| `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`

Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM

• source: splunk
• technicques:
  • T1110.003
  • T1110

Description

The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.

Detection logic

`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 
| bucket span=2m _time 
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation 
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation 
| eval upperBound=(comp_avg+comp_std*3) 
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) 
| search isOutlier=1 
| rename Workstation as src 
|`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`