NTLM Brute Force
Detects common NTLM brute force device names
Sigma rule (View on GitHub)
1title: NTLM Brute Force
2id: 9c8acf1a-cbf9-4db6-b63c-74baabe03e59
3status: test
4description: Detects common NTLM brute force device names
5references:
6 - https://www.varonis.com/blog/investigate-ntlm-brute-force
7author: Jerry Shockley '@jsh0x'
8date: 2022/02/02
9tags:
10 - attack.credential_access
11 - attack.t1110
12logsource:
13 product: windows
14 service: ntlm
15 definition: Requires events from Microsoft-Windows-NTLM/Operational
16detection:
17 selection:
18 EventID: 8004
19 devicename:
20 WorkstationName:
21 - 'Rdesktop'
22 - 'Remmina'
23 - 'Freerdp'
24 - 'Windows7'
25 - 'Windows8'
26 - 'Windows2012'
27 - 'Windows2016'
28 - 'Windows2019'
29 condition: selection and devicename
30falsepositives:
31 - Systems with names equal to the spoofed ones used by the brute force tools
32level: medium
References
-
This post explains the process the Varonis IR team follows to investigate NTLM Brute Force attacks, which are common incidents reported by customers.
Read More
Related rules
- External Remote Service Logon from Public IP
- Access to Browser Login Data
- Create Volume Shadow Copy with Powershell
- Request A Single Ticket via PowerShell
- Suspicious Connection to Remote Account