Invalid Users Failing To Authenticate From Source Using Kerberos
Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
Sigma rule (View on GitHub)
1title: Invalid Users Failing To Authenticate From Source Using Kerberos
2id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
3status: unsupported
4description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
5references:
6 - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
7author: Mauricio Velazco, frack113
8date: 2021/06/01
9modified: 2023/03/13
10tags:
11 - attack.t1110.003
12 - attack.initial_access
13 - attack.privilege_escalation
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4768
20 Status: '0x6'
21 filter_computer:
22 TargetUserName|endswith: '$'
23 timeframe: 24h
24 condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10
25falsepositives:
26 - Vulnerability scanners
27 - Misconfigured systems
28 - Remote administration tools
29 - VPN terminators
30 - Multiuser systems like Citrix server farms
31level: medium
References
Related rules
- Disabled Users Failing To Authenticate From Source Using Kerberos
- Invalid Users Failing To Authenticate From Single Source Using NTLM
- Multiple Users Failing to Authenticate from Single Process
- Multiple Users Remotely Failing To Authenticate From Single Source
- Password Spraying via Explicit Credentials