LoFP / an single endpoint authenticating to a large number of hosts is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.

Techniques

• T1078

Sample rules

Unusual Number of Remote Endpoint Authentication Events

• source: splunk
• technicques:
  • T1078

Description

The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks.

Detection logic

`wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" 
| eval Source_Account = mvindex(Account_Name, 1) 
| bucket span=2m _time 
| stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account 
| eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account 
| eval upperBound=(comp_avg+comp_std*3) 
| eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) 
| `unusual_number_of_remote_endpoint_authentication_events_filter`