Windows Multiple Users Failed To Authenticate From Host Using NTLM
Splunk Security Content
View SourceSummary
This detection rule identifies potential password spraying attacks against a Windows environment using NTLM for authentication. Specifically, it looks for instances where a single endpoint fails to authenticate with 30 unique valid user accounts, indicating a concentrated effort to gain access to accounts via incorrect login attempts. The rule analyzes Windows Event IDs, particularly Event Code 4776, which pertains to credential validation failures, focusing on the error code 0xC000006A (indicating bad passwords). Such behavior deviates from standard authentication patterns and could reflect malicious attempts to breach Active Directory security, potentially leading to unauthorized access to sensitive resources.
Categories
- Windows
- Endpoint
- Infrastructure
- Identity Management
Data Sources
- Windows Registry
- Windows Registry
- Windows Registry
- Windows Registry
ATT&CK Techniques
- T1110
- T1110.003
Created: 2024-11-13