Detection rules › Splunk
Windows Multiple Users Remotely Failed To Authenticate From Host
The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4625 | An account failed to log on. |
Stages and Predicates
Stage 1: search
search EventCode=4625 IpAddress!="-" Logon_Type=3
Stage 2: bucket
bucket span=5m _time
Stage 3: stats
stats dc(TargetUserName) AS unique_accounts, … AS tried_accounts, … AS dest, … AS src, … AS user BY _time, IpAddress, Computer, action, app, authentication_method, signature, signature_id
Stage 4: rename
rename
Stage 5: where
where unique_accounts>30
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
IpAddress | ne |
|
Logon_Type | eq |
|
unique_accounts | gt |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Failed Logon From Public IP (drops 3 filters this rule applies)
- Privileged Accounts Brute Force (drops 3 filters this rule applies)
- Multiple Logon Failure from the same Source Address (drops 3 filters this rule applies)