Detection rules › Splunk
Windows Unusual Count Of Users Failed To Auth Using Kerberos
The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password (failure code 0x18). This detection uses statistical analysis, specifically the 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, this activity could allow an attacker to gain initial access or elevate privileges within an Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4771 | Kerberos pre-authentication failed. |
Stages and Predicates
Stage 1: search
search EventCode=4771 Status=0x18 TargetUserName!="*$"
Stage 2: bucket
bucket span=5m _time
Stage 3: stats
stats dc(TargetUserName) AS unique_accounts, … AS user, … AS dest BY _time, IpAddress
Stage 4: eventstats
eventstats avg(unique_accounts) AS comp_avg BY IpAddress
Stage 5: eval
eval ... using (comp_avg, comp_std)
Stage 6: eval
eval ... using (unique_accounts, upperBound)
Stage 7: search
search isOutlier=1
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Status | eq |
|
TargetUserName | ne |
|
isOutlier | eq |
|