applications that deal with non-domain joined authentications. recommend adjusting the upperbound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.

Techniques

Sample rules

Windows Multiple NTLM Null Domain Authentications

source: splunk
technicques:
- T1110
- T1110.003

Description

The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device

Detection logic

`ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NULL 
| eval src = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some auth attempts ``` 
| eval dest = SChannelName, user = UserName ``` CIM alignment``` 
| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications``` 
| `windows_multiple_ntlm_null_domain_authentications_filter` 
| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count dc(eval(upper(src))) as src_count by dest 
| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std 
| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` 
| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) 
| where isOutlier==1 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`