LoFP / it is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.

Techniques

• T1078.003

Sample rules

Detect Excessive User Account Lockouts

• source: splunk
• technicques:
  • T1078.003

Description

The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the ‘Change’ data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where  All_Changes.result="*lock*" by All_Changes.user All_Changes.result 
|`drop_dm_object_name("All_Changes")` 
|`drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| search count > 5 
| `detect_excessive_user_account_lockouts_filter`