Detection rules › Splunk
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4776 | The domain controller attempted to validate the credentials for an account. |
Stages and Predicates
Stage 1: search
search EventCode=4776 Status=0xc0000064 TargetUserName!="*$"
Stage 2: bucket
bucket span=5m _time
Stage 3: stats
stats dc(TargetUserName) AS unique_accounts, … AS tried_accounts, … AS dest BY _time, Workstation
Stage 4: where
where unique_accounts>30
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Status | eq |
|
TargetUserName | ne |
|
unique_accounts | gt |
|