LoFP / vulnerability scanners or system administration tools may also trigger this detection. filter as needed.

Techniques

• T1003.002
• T1021.002
• T1087
• T1110
• T1110.004
• T1135

Sample rules

Windows Local Administrator Credential Stuffing

• source: splunk
• technicques:
  • T1110
  • T1110.004

Description

The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.

Detection logic

 `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator 
| bucket span=5m _time 
| stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode 
| where unique_targets > 30 
| `windows_local_administrator_credential_stuffing_filter`

Windows Rapid Authentication On Multiple Hosts

• source: splunk
• technicques:
  • T1003.002

Description

The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is moving laterally across the environment or enumerating network shares in the search for sensitive files. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.

Detection logic

  `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$" 
| bucket span=5m _time 
| stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName 
| where unique_targets > 30 
| `windows_rapid_authentication_on_multiple_hosts_filter`

Windows Special Privileged Logon On Multiple Hosts

• source: splunk
• technicques:
  • T1087
  • T1021.002
  • T1135

Description

The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.

Detection logic

 `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN ("DWM-1","DWM-2","DWM-3","LOCAL SERVICE","NETWORK SERVICE","SYSTEM","*$")) 
| bucket span=5m _time 
| stats dc(Computer) AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges by _time, Caller_User_Name 
| rename Caller_User_Name as user
| where unique_targets > 30 
| `windows_special_privileged_logon_on_multiple_hosts_filter`