diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml new file mode 100644 index 000000000..a64133d28 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml @@ -0,0 +1,26 @@ +title: Multiple Users Attempting To Authenticate Using Explicit Credentials +id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9 +description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4648' + timeframe: 24h + condition: + - selection1 | count(Account_Name) by ComputerName > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/win_susp_failed_logons_single_process.yml new file mode 100644 index 000000000..716bc8ae6 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_process.yml @@ -0,0 +1,29 @@ +title: Multiple Users Failing to Authenticate from Single Process +id: fe563ab6-ded4-4916-b49f-a3a8445fe280 +description: Detects failed logins with multiple accounts from a single process on the system. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4625' + Logon_Type: '2' + filter: + Caller_Process_Name: '-' + timeframe: 24h + condition: + - selection1 and not filter | count(Account_Name) by Caller_Process_Name > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index d8727c314..dad0b88d8 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -30,4 +30,4 @@ falsepositives: - Jump servers - Other multiuser systems like Citrix server farms - Workstations with frequently changing users -level: medium +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml new file mode 100644 index 000000000..17114308a --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml @@ -0,0 +1,30 @@ +title: Valid Users Failing to Authenticate From Single Source Using Kerberos +id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98 +description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection: + EventID: '4771' + Failure_Code: '0x18' + filter: + Account_Name: '*$' + timeframe: 24h + condition: + - selection and not filter | count(Account_Name) by Client_Address > 10 +falsepositives: + - Vulnerability scanners + - Missconfigured systems + - Remote administration tools + - VPN terminators + - Multiuser systems like Citrix server farms +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml new file mode 100644 index 000000000..7da50919a --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml @@ -0,0 +1,30 @@ +title: Disabled Users Failing To Authenticate From Source Using Kerberos +id: 4b6fe998-b69c-46d8-901b-13677c9fb663 +description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection: + EventID: '4768' + Result_Code: '0x12' + filter: + Account_Name: '*$' + timeframe: 24h + condition: + - selection and not filter | count(Account_Name) by Client_Address > 10 +falsepositives: + - Vulnerability scanners + - Missconfigured systems + - Remote administration tools + - VPN terminators + - Multiuser systems like Citrix server farms +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml new file mode 100644 index 000000000..514ec94fd --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml @@ -0,0 +1,30 @@ +title: Invalid Users Failing To Authenticate From Source Using Kerberos +id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564 +description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection: + EventID: '4768' + Result_Code: '0x6' + filter: + Account_Name: '*$' + timeframe: 24h + condition: + - selection and not filter | count(Account_Name) by Client_Address > 10 +falsepositives: + - Vulnerability scanners + - Missconfigured systems + - Remote administration tools + - VPN terminators + - Multiuser systems like Citrix server farms +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml new file mode 100644 index 000000000..b260bb585 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml @@ -0,0 +1,30 @@ +title: Valid Users Failing to Authenticate from Single Source Using NTLM +id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470 +description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4776' + action: 'failure' + Message: '*0xC000006A' + filter: + Logon_Account: '*$' + timeframe: 24h + condition: + - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml new file mode 100644 index 000000000..ba48c1b97 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml @@ -0,0 +1,30 @@ +title: Invalid Users Failing To Authenticate From Single Source Using NTLM +id: 56d62ef8-3462-4890-9859-7b41e541f8d5 +description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4776' + action: 'failure' + Message: '*0xC0000064' + filter: + Logon_Account: '*$' + timeframe: 24h + condition: + - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml new file mode 100644 index 000000000..1f574e942 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml @@ -0,0 +1,29 @@ +title: Multiple Users Remotely Failing To Authenticate From Single Source +id: add2ef8d-dc91-4002-9e7e-f2702369f53a +description: Detects a source system failing to authenticate against a remote host with multiple users. +author: Mauricio Velazco +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +date: 2021/06/01 +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4625' + Logon_Type: '3' + filter: + Source_Network_Address: '-' + timeframe: 24h + condition: + - selection1 and not filter | count(Account_Name) by Source_Network_Address > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium