NTLM Brute Force
Detects common NTLM brute force device names
Sigma rule (View on GitHub)
1title: NTLM Brute Force
2id: 9c8acf1a-cbf9-4db6-b63c-74baabe03e59
3status: test
4description: Detects common NTLM brute force device names
5references:
6 - https://www.varonis.com/blog/investigate-ntlm-brute-force
7author: Jerry Shockley '@jsh0x'
8date: 2022-02-02
9tags:
10 - attack.credential-access
11 - attack.t1110
12logsource:
13 product: windows
14 service: ntlm
15 definition: Requires events from Microsoft-Windows-NTLM/Operational
16detection:
17 selection:
18 EventID: 8004
19 devicename:
20 WorkstationName:
21 - 'Rdesktop'
22 - 'Remmina'
23 - 'Freerdp'
24 - 'Windows7'
25 - 'Windows8'
26 - 'Windows2012'
27 - 'Windows2016'
28 - 'Windows2019'
29 condition: selection and devicename
30falsepositives:
31 - Systems with names equal to the spoofed ones used by the brute force tools
32level: medium
References
-
This post explains the process the Varonis IR team follows to investigate NTLM Brute Force attacks, which are common incidents reported by customers.
Read More
Related rules
- Account Lockout
- Bitbucket User Login Failure
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- External Remote RDP Logon from Public IP