Multiple Users Remotely Failing To Authenticate From Single Source
Detects a source system failing to authenticate against a remote host with multiple users.
Sigma rule (View on GitHub)
1title: Multiple Users Remotely Failing To Authenticate From Single Source
2id: add2ef8d-dc91-4002-9e7e-f2702369f53a
3status: unsupported
4description: Detects a source system failing to authenticate against a remote host with multiple users.
5references:
6 - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
7author: Mauricio Velazco
8date: 2021/06/01
9modified: 2023/02/24
10tags:
11 - attack.t1110.003
12 - attack.initial_access
13 - attack.privilege_escalation
14logsource:
15 product: windows
16 service: security
17detection:
18 selection1:
19 EventID: 4625
20 LogonType: 3
21 filter:
22 IpAddress: '-'
23 timeframe: 24h
24 condition: selection1 and not filter | count(TargetUserName) by IpAddress > 10
25falsepositives:
26 - Terminal servers
27 - Jump servers
28 - Other multiuser systems like Citrix server farms
29 - Workstations with frequently changing users
30level: medium
References
-
Splunk Security Content Analytic Story All the Analytic Stories shipped to different Splunk products. Below is a breakdown by Category. Abuse Brand monitoring Detect and investigate activity that m...
Read More
Related rules
- Disabled Users Failing To Authenticate From Source Using Kerberos
- Invalid Users Failing To Authenticate From Single Source Using NTLM
- Invalid Users Failing To Authenticate From Source Using Kerberos
- Multiple Users Failing to Authenticate from Single Process
- Password Spraying via Explicit Credentials