Detection rules › Splunk
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x12 (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4768 | A Kerberos authentication ticket (TGT) was requested. |
Stages and Predicates
Stage 1: search
search EventCode=4768 Status=0x12 TargetUserName!="*$"
Stage 2: bucket
bucket span=5m _time
Stage 3: stats
stats dc(TargetUserName) AS unique_accounts, … AS user, … AS dest BY _time, IpAddress
Stage 4: eventstats
eventstats avg(unique_accounts) AS comp_avg BY IpAddress
Stage 5: eval
eval ... using (comp_avg, comp_std)
Stage 6: eval
eval ... using (unique_accounts, upperBound)
Stage 7: search
search isOutlier=1
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Status | eq |
|
TargetUserName | ne |
|
isOutlier | eq |
|