Windows Local Administrator Credential Stuffing

Author: Mauricio Velazco, Splunk
Source: upstream

The following analytic detects attempts to authenticate using the built-in local Administrator account across more than 30 endpoints within a 5-minute window. It leverages Windows Event Logs, specifically events 4625 and 4624, to identify this behavior. This activity is significant as it may indicate an adversary attempting to validate stolen local credentials across multiple hosts, potentially leading to privilege escalation. If confirmed malicious, this could allow the attacker to gain widespread access and control over numerous systems within the network, posing a severe security risk.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1110.004` Brute Force: Credential Stuffing

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4625	An account failed to log on.

Stages and Predicates

Stage 1: `search`

search (EventCode=4624 OR EventCode=4625) Logon_Type=3 TargetUserName="Administrator"

Stage 2: `bucket`

bucket span=5m _time

Stage 3: `stats`

stats dc(Computer) AS unique_targets, … AS host_targets, … AS dest, … AS src, … AS user BY _time, IpAddress, TargetUserName, EventCode, action, app, authentication_method, signature, signature_id

Stage 4: `where`

where unique_targets>30

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`4624` corpus 6 (splunk 6) `4625` corpus 6 (splunk 6)
`Logon_Type`	eq	`3` corpus 12 (splunk 7, sigma 5)
`TargetUserName`	eq	`Administrator`
`unique_targets`	gt	`30` corpus 5 (splunk 5)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Suspicious Service was Installed in the System [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Hacktool Ruler [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]
Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Windows Identify PowerShell Web Access IIS Pool [splunk]