Detection rules › Splunk
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4776 | The domain controller attempted to validate the credentials for an account. |
Stages and Predicates
Stage 1: search
search EventCode=4776 Status=0xC000006A TargetUserName!="*$"
Stage 2: bucket
bucket span=2m _time
Stage 3: stats
stats dc(TargetUserName) AS unique_accounts, … AS tried_accounts, … AS dest BY _time, Workstation
Stage 4: eventstats
eventstats avg(unique_accounts) AS comp_avg BY Workstation
Stage 5: eval
eval ... using (comp_avg, comp_std)
Stage 6: eval
eval ... using (unique_accounts, upperBound)
Stage 7: search
search isOutlier=1
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Status | eq |
|
TargetUserName | ne |
|
isOutlier | eq |
|