title: Multiple Users Failing to Authenticate from Single Process
id: fe563ab6-ded4-4916-b49f-a3a8445fe280
status: unsupported
description: Detects failed logins with multiple accounts from a single process on the system.
references:
    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
    - https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing
author: Mauricio Velazco
date: 2021/06/01
modified: 2023/03/13
tags:
    - attack.t1110.003
    - attack.initial_access
    - attack.privilege_escalation
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID: 4625
        LogonType: 2
    filter:
        ProcessName: '-'
    timeframe: 24h
    condition: selection1 and not filter | count(TargetUserName) by ProcessName > 10
falsepositives:
    - Terminal servers
    - Jump servers
    - Other multiuser systems like Citrix server farms
    - Workstations with frequently changing users
level: medium