Multiple Users Failing to Authenticate from Single Process

 1title: Multiple Users Failing to Authenticate from Single Process
 2id: fe563ab6-ded4-4916-b49f-a3a8445fe280
 3status: unsupported
 4description: Detects failed logins with multiple accounts from a single process on the system.
 5references:
 6    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 7    - https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing
 8author: Mauricio Velazco
 9date: 2021/06/01
10modified: 2023/03/13
11tags:
12    - attack.t1110.003
13    - attack.initial_access
14    - attack.privilege_escalation
15logsource:
16    product: windows
17    service: security
18detection:
19    selection1:
20        EventID: 4625
21        LogonType: 2
22    filter:
23        ProcessName: '-'
24    timeframe: 24h
25    condition: selection1 and not filter | count(TargetUserName) by ProcessName > 10
26falsepositives:
27    - Terminal servers
28    - Jump servers
29    - Other multiuser systems like Citrix server farms
30    - Workstations with frequently changing users
31level: medium

References

• https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying

  
  Read More

• https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing

  
  Read More

Related rules

• Disabled Users Failing To Authenticate From Source Using Kerberos
• Invalid Users Failing To Authenticate From Single Source Using NTLM
• Invalid Users Failing To Authenticate From Source Using Kerberos
• Multiple Users Remotely Failing To Authenticate From Single Source
• Password Spraying via Explicit Credentials