Invalid Users Failing To Authenticate From Source Using Kerberos

Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.

Sigma rule (View on GitHub)

 1title: Invalid Users Failing To Authenticate From Source Using Kerberos
 2id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
 3status: unsupported
 4description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
 5references:
 6    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 7author: Mauricio Velazco, frack113
 8date: 2021/06/01
 9modified: 2023/03/13
10tags:
11    - attack.t1110.003
12    - attack.initial_access
13    - attack.privilege_escalation
14logsource:
15    product: windows
16    service: security
17detection:
18    selection:
19        EventID: 4768
20        Status: '0x6'
21    filter_computer:
22        TargetUserName|endswith: '$'
23    timeframe: 24h
24    condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10
25falsepositives:
26    - Vulnerability scanners
27    - Misconfigured systems
28    - Remote administration tools
29    - VPN terminators
30    - Multiuser systems like Citrix server farms
31level: medium

References

Related rules

to-top