Merge pull request #1535 from mvelazc0/master

Password Spraying Sigma Rules

rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml

@@ -0,0 +1,26 @@
+title: Multiple Users Attempting To Authenticate Using Explicit Credentials
+id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
+description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4648'
+    timeframe: 24h
+    condition:
+        - selection1 | count(Account_Name) by ComputerName > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium

rules/windows/builtin/win_susp_failed_logons_single_process.yml

@@ -0,0 +1,29 @@
+title: Multiple Users Failing to Authenticate from Single Process
+id: fe563ab6-ded4-4916-b49f-a3a8445fe280
+description: Detects failed logins with multiple accounts from a single process on the system.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4625'
+        Logon_Type: '2'
+    filter:
+        Caller_Process_Name: '-'
+    timeframe: 24h
+    condition:
+        - selection1 and not filter | count(Account_Name) by Caller_Process_Name > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium

rules/windows/builtin/win_susp_failed_logons_single_source.yml

@@ -30,4 +30,4 @@ falsepositives:
     - Jump servers
     - Other multiuser systems like Citrix server farms
     - Workstations with frequently changing users
-level: medium
+level: medium

rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml

@@ -0,0 +1,30 @@
+title: Valid Users Failing to Authenticate From Single Source Using Kerberos
+id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
+description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: '4771'
+        Failure_Code: '0x18'
+    filter:
+        Account_Name: '*$'
+    timeframe: 24h
+    condition:
+        - selection and not filter | count(Account_Name) by Client_Address > 10
+falsepositives:
+    - Vulnerability scanners
+    - Missconfigured systems
+    - Remote administration tools
+    - VPN terminators
+    - Multiuser systems like Citrix server farms
+level: medium

rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml

@@ -0,0 +1,30 @@
+title: Disabled Users Failing To Authenticate From Source Using Kerberos
+id: 4b6fe998-b69c-46d8-901b-13677c9fb663
+description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: '4768'
+        Result_Code: '0x12'
+    filter:
+        Account_Name: '*$'
+    timeframe: 24h
+    condition:
+        - selection and not filter | count(Account_Name) by Client_Address > 10
+falsepositives:
+    - Vulnerability scanners
+    - Missconfigured systems
+    - Remote administration tools
+    - VPN terminators
+    - Multiuser systems like Citrix server farms
+level: medium

rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml

@@ -0,0 +1,30 @@
+title: Invalid Users Failing To Authenticate From Source Using Kerberos
+id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
+description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: '4768'
+        Result_Code: '0x6'
+    filter:
+        Account_Name: '*$'
+    timeframe: 24h
+    condition:
+        - selection and not filter | count(Account_Name) by Client_Address > 10
+falsepositives:
+    - Vulnerability scanners
+    - Missconfigured systems
+    - Remote administration tools
+    - VPN terminators
+    - Multiuser systems like Citrix server farms
+level: medium

rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml

@@ -0,0 +1,30 @@
+title: Valid Users Failing to Authenticate from Single Source Using NTLM
+id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
+description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4776'
+        action: 'failure'
+        Message: '*0xC000006A'
+    filter:
+        Logon_Account: '*$'
+    timeframe: 24h
+    condition:
+        - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium

rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml

@@ -0,0 +1,30 @@
+title: Invalid Users Failing To Authenticate From Single Source Using NTLM
+id: 56d62ef8-3462-4890-9859-7b41e541f8d5
+description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4776'
+        action: 'failure'
+        Message: '*0xC0000064'
+    filter:
+        Logon_Account: '*$'
+    timeframe: 24h
+    condition:
+        - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium

rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml

@@ -0,0 +1,29 @@
+title: Multiple Users Remotely Failing To Authenticate From Single Source
+id: add2ef8d-dc91-4002-9e7e-f2702369f53a
+description: Detects a source system failing to authenticate against a remote host with multiple users.
+author: Mauricio Velazco
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+date: 2021/06/01
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4625'
+        Logon_Type: '3'
+    filter:
+        Source_Network_Address: '-'
+    timeframe: 24h
+    condition:
+        - selection1 and not filter | count(Account_Name) by Source_Network_Address > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium