Detection rules › Splunk
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4648 | A logon was attempted using explicit credentials. |
Stages and Predicates
Stage 1: search
search Caller_User_Name!="*$" EventCode=4648 Target_User_Name!="*$"
Stage 2: bucket
bucket span=5m _time
Stage 3: stats
stats dc(Target_User_Name) AS unique_accounts, … AS user, … AS dest, … AS src_ip BY _time, Computer, Caller_User_Name
Stage 4: eventstats
eventstats avg(unique_accounts) AS comp_avg BY Computer
Stage 5: eval
eval ... using (comp_avg, comp_std)
Stage 6: eval
eval ... using (unique_accounts, upperBound)
Stage 7: search
search isOutlier=1
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Caller_User_Name | ne |
|
EventCode | eq |
|
Target_User_Name | ne |
|
isOutlier | eq |
|