Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nterl0k - T1110.003 NTLM Bruteforce #2979

Merged
merged 21 commits into from
Aug 6, 2024
Merged

Nterl0k - T1110.003 NTLM Bruteforce #2979

merged 21 commits into from
Aug 6, 2024

Conversation

nterl0k
Copy link
Contributor

@nterl0k nterl0k commented Mar 16, 2024
edited
Loading

Details

A set of detections bult to detect anomalous behaviors using the NTLM Operational via organization domain controllers.

Pending splunk/attack_data#887

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.

nterl0k and others added 13 commits March 18, 2024 08:51
@nterl0k
Update windows_multiple_ntlm_null_domain_authentications.yml
eed9ec7
@nterl0k
Update windows_unusual_ntlm_authentication_users_by_source.yml
3485c6d
@nterl0k
Update windows_unusual_ntlm_authentication_destinations_by_user.yml
b05c176
@nterl0k
Update windows_unusual_ntlm_authentication_users_by_destination.yml
01ae05c
@nterl0k
Update windows_unusual_ntlm_authentication_destinations_by_source.yml
f989321
@nterl0k
Update windows_unusual_ntlm_authentication_destinations_by_source.yml
cf55da4
@nterl0k
Update windows_unusual_ntlm_authentication_users_by_destination.yml
314ad1c
@nterl0k
Update windows_unusual_ntlm_authentication_destinations_by_user.yml
bdc2b1c
@nterl0k
Update windows_unusual_ntlm_authentication_users_by_source.yml
bcbff27
@nterl0k
Update windows_multiple_ntlm_null_domain_authentications.yml
dc30b09
@nterl0k
Update windows_multiple_ntlm_null_domain_authentications.yml
7406514
@patel-bhavin
Merge branch 'develop' into nterl0k-T1110.003-NTLM-bruteforce
91b313f
@ljstella
Merge branch 'develop' into nterl0k-T1110.003-NTLM-bruteforce
a2cbf6b
@ljstella ljstella requested review from ljstella and removed request for patel-bhavin and P4T12ICK July 29, 2024 15:24
@ljstella ljstella added this to the v4.38.0 milestone Jul 29, 2024
ljstella
ljstella approved these changes Jul 29, 2024
View reviewed changes
Copy link
Contributor

@ljstella ljstella left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Thanks for you contribution @nterl0k. Only small change I had to make was one of the risk messages referencing a field that didn't exist in the search. Super easy fix. Thanks again!

@patel-bhavin patel-bhavin merged commit b91c4ec into splunk:develop Aug 6, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljstella ljstella ljstella approved these changes

@MHaggis MHaggis Awaiting requested review from MHaggis

@pyth0n1c pyth0n1c Awaiting requested review from pyth0n1c

Assignees
No one assigned
Labels
Detections Macros
Projects
None yet
Milestone
v4.38.0
Development

Successfully merging this pull request may close these issues.
3 participants
@nterl0k @ljstella @patel-bhavin