Detection rules › Splunk
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4776 | The domain controller attempted to validate the credentials for an account. |
Stages and Predicates
Stage 1: search
search EventCode=4776 Status=0xc0000064 TargetUserName!="*$"
Stage 2: bucket
bucket span=2m _time
Stage 3: stats
stats dc(TargetUserName) AS unique_accounts, … AS user, … AS dest BY _time, Workstation
Stage 4: eventstats
eventstats avg(unique_accounts) AS comp_avg BY Workstation
Stage 5: eval
eval ... using (comp_avg, comp_std)
Stage 6: eval
eval ... using (unique_accounts, upperBound)
Stage 7: search
search isOutlier=1
Stage 8: rename
rename
Stage 9: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Status | eq |
|
TargetUserName | ne |
|
isOutlier | eq |
|