From 8e49e5c75e64402baa3ed1411733f18ab83c4cce Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sat, 16 Mar 2024 11:32:14 -0400 Subject: [PATCH 01/14] Add files via upload --- ...tiple_ntlm_null_domain_authentications.yml | 63 +++++++++++++++++++ ..._authentication_destinations_by_source.yml | 63 +++++++++++++++++++ ...lm_authentication_destinations_by_user.yml | 63 +++++++++++++++++++ ...lm_authentication_users_by_destination.yml | 63 +++++++++++++++++++ ...al_ntlm_authentication_users_by_source.yml | 63 +++++++++++++++++++ 5 files changed, 315 insertions(+) create mode 100644 detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml create mode 100644 detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml create mode 100644 detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml create mode 100644 detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml create mode 100644 detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml new file mode 100644 index 0000000000..303341f6d5 --- /dev/null +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -0,0 +1,63 @@ +name: Windows Multiple NTLM Null Domain Authentications +id: c187ce2c-c88e-4cec-8a1c-607ca0dedd78 +version: 1 +date: '2024-03-16' +author: Steven Dick +status: production +type: TTP +description: The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device +data_source: +- NTLM Operational 8004,8005,8006 +search: '`ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NULL +| eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` +| eval dest = SChannelName, user = UserName ``` CIM alignment``` +| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications``` +| `windows_multiple_ntlm_null_domain_authentications_filter` +| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by dest +| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std +| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) +| where isOutlier==1 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)`' +how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. +known_false_positives: Applications that deal with non-domain joined authentications. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 +- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827 +- https://www.varonis.com/blog/investigate-ntlm-brute-force +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f +tags: + analytic_story: + - Active Directory Password Spraying + asset_type: Endpoint + confidence: 100 + impact: 75 + message: The device [$dest$] was the target of $count$ NTLM authentications from $src_count$ sources using $user_count$ unique user accounts. + mitre_attack_id: + - T1110 + - T1110.003 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - DomainName + - Security + - WorkstationName + risk_score: 50 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml new file mode 100644 index 0000000000..7a7ea8623f --- /dev/null +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml @@ -0,0 +1,63 @@ +name: Windows Unusual NTLM Authentication Destinations By Source +id: ae9b0df5-5fb0-477f-abc9-47faf42aa91d +version: 1 +date: '2024-03-16' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an unusual number NTLM authentications is attempted by the same source against multiple destinations. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a multiple domain joined Windows devices using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well. +data_source: +- NTLM Operational 8004,8005,8006 +search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* +| eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` +| eval dest = SChannelName, user = UserName ``` CIM alignment``` +| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ``` +| `windows_unusual_ntlm_authentication_destinations_by_source_filter` +| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) as unique_count by src +| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std +| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) +| where isOutlier==1 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)`' +how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. +known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 +- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827 +- https://www.varonis.com/blog/investigate-ntlm-brute-force +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f +tags: + analytic_story: + - Active Directory Password Spraying + asset_type: Endpoint + confidence: 100 + impact: 25 + message: The device [$src$] attempted $count$ NTLM authentications against $unique_count$ destinations. + mitre_attack_id: + - T1110 + - T1110.003 + observable: + - name: src + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - DomainName + - Security + - WorkstationName + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml new file mode 100644 index 0000000000..a71095a455 --- /dev/null +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml @@ -0,0 +1,63 @@ +name: Windows Unusual NTLM Authentication Destinations By User +id: a4d86702-402b-4a4f-8d06-9d61e6c39cad +version: 1 +date: '2024-03-16' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an unusual number of NTLM authentications is attempted by the same user account against multiple destinations. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to numerous domain joined Windows devices using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well. +data_source: +- NTLM Operational 8004,8005,8006 +search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* +| eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` +| eval dest = SChannelName, user = UserName ``` CIM alignment``` +| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ``` +| `windows_unusual_ntlm_authentication_destinations_by_user_filter` +| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) as unique_count by user +| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std +| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) +| where isOutlier==1 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)`' +how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. +known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 +- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827 +- https://www.varonis.com/blog/investigate-ntlm-brute-force +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f +tags: + analytic_story: + - Active Directory Password Spraying + asset_type: Endpoint + confidence: 100 + impact: 25 + message: The user [$user$] attempted $count$ NTLM authentications against $unique_count$ destinations. + mitre_attack_id: + - T1110 + - T1110.003 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - DomainName + - Security + - WorkstationName + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml new file mode 100644 index 0000000000..c5a1b4b808 --- /dev/null +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml @@ -0,0 +1,63 @@ +name: Windows Unusual NTLM Authentication Users By Destination +id: 1120a204-8444-428b-8657-6ea4e1f3e840 +version: 1 +date: '2024-03-16' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device. +data_source: +- NTLM Operational 8004,8005,8006 +search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* +| eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` +| eval dest = SChannelName, user = UserName ``` CIM alignment``` +| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ``` +| `windows_unusual_ntlm_authentication_users_by_destination_filter` +| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by dest +| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std +| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) +| where isOutlier==1 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)`' +how_to_implement: The following analytic detects when an unusual number of NTLM authentications is attempted against the same destination. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well. +known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 +- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827 +- https://www.varonis.com/blog/investigate-ntlm-brute-force +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f +tags: + analytic_story: + - Active Directory Password Spraying + asset_type: Endpoint + confidence: 100 + impact: 25 + message: The device [$dest$] was the target of $count$ NTLM authentications using $unique_count$ unique user accounts. + mitre_attack_id: + - T1110 + - T1110.003 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - DomainName + - Security + - WorkstationName + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml new file mode 100644 index 0000000000..2b30a5fd2f --- /dev/null +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml @@ -0,0 +1,63 @@ +name: Windows Unusual NTLM Authentication Users By Source +id: 80fcc4d4-fd90-488e-b55a-4e7190ae6ce2 +version: 1 +date: '2024-03-16' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an unusual number of NTLM authentications is attempted by the same source. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events in as well. +data_source: +- NTLM Operational 8004,8005,8006 +search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* +| eval src = replace(WorkstationName,"\\\\","") ```CIM alignment, remove leading \\ from some auth attempts ``` +| eval dest = SChannelName, user = UserName ``` CIM alignment``` +| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ``` +| `windows_unusual_ntlm_authentication_users_by_source_filter` +| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by src +| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std +| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) +| where isOutlier==1 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)`' +how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. +known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 +- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827 +- https://www.varonis.com/blog/investigate-ntlm-brute-force +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f +tags: + analytic_story: + - Active Directory Password Spraying + asset_type: Endpoint + confidence: 100 + impact: 25 + message: The device [$src$] attempted $count$ NTLM authentications using $unique_count$ user accounts. + mitre_attack_id: + - T1110 + - T1110.003 + observable: + - name: src + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - DomainName + - Security + - WorkstationName + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log + source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational + sourcetype: XmlWinEventLog \ No newline at end of file From 7f7857cbd7ce34408884cb8c127d62a590377589 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sat, 16 Mar 2024 11:33:20 -0400 Subject: [PATCH 02/14] Add files via upload --- macros/ntlm_audit.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 macros/ntlm_audit.yml diff --git a/macros/ntlm_audit.yml b/macros/ntlm_audit.yml new file mode 100644 index 0000000000..56f41c7934 --- /dev/null +++ b/macros/ntlm_audit.yml @@ -0,0 +1,3 @@ +definition: sourcetype=XmlWinEventLog:Microsoft-Windows-NTLM/Operational OR source=XmlWinEventLog:Microsoft-Windows-NTLM/Operational +description: Customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. +name: ntlm_audit \ No newline at end of file From eed9ec7847213ca3f9413f795967e0ab242a1c44 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 08:51:30 -0400 Subject: [PATCH 03/14] Update windows_multiple_ntlm_null_domain_authentications.yml --- .../windows_multiple_ntlm_null_domain_authentications.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml index 303341f6d5..596637e8ba 100644 --- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -21,7 +21,7 @@ search: '`ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NU | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. -known_false_positives: Applications that deal with non-domain joined authentications. +known_false_positives: Applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From 3485c6da50052a418d4d4f7f7249f38eabca54c9 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:02:13 -0400 Subject: [PATCH 04/14] Update windows_unusual_ntlm_authentication_users_by_source.yml --- .../windows_unusual_ntlm_authentication_users_by_source.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml index 2b30a5fd2f..a8120871ee 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml @@ -21,7 +21,7 @@ search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. -known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. +known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From b05c1760743c2df4b142fc81327b99d746e55de6 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:02:29 -0400 Subject: [PATCH 05/14] Update windows_unusual_ntlm_authentication_destinations_by_user.yml --- ...ndows_unusual_ntlm_authentication_destinations_by_user.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml index a71095a455..4bfb8b981b 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml @@ -21,7 +21,7 @@ search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. -known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. +known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From 01ae05c8197259af4edb5ba89598993feafb29e0 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:02:46 -0400 Subject: [PATCH 06/14] Update windows_unusual_ntlm_authentication_users_by_destination.yml --- ...ndows_unusual_ntlm_authentication_users_by_destination.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml index c5a1b4b808..cbbe6f933c 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml @@ -21,7 +21,7 @@ search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' how_to_implement: The following analytic detects when an unusual number of NTLM authentications is attempted against the same destination. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well. -known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. +known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From f9893217a68d66f3fde4f0f759324e631e48e57a Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:03:24 -0400 Subject: [PATCH 07/14] Update windows_unusual_ntlm_authentication_destinations_by_source.yml --- ...ows_unusual_ntlm_authentication_destinations_by_source.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml index 7a7ea8623f..9c11e4422e 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml @@ -21,7 +21,7 @@ search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006. -known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. +known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise. references: - https://attack.mitre.org/techniques/T1110/003/ - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From cf55da4acdcb7cacb694e11907c2d73e6a760950 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:14:01 -0400 Subject: [PATCH 08/14] Update windows_unusual_ntlm_authentication_destinations_by_source.yml --- ...ndows_unusual_ntlm_authentication_destinations_by_source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml index 9c11e4422e..d4fae926ee 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml @@ -15,7 +15,7 @@ search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | `windows_unusual_ntlm_authentication_destinations_by_source_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) as unique_count by src | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std -| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` From 314ad1cb4b7ae7f8503b3271dccec858dc78f41a Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:14:43 -0400 Subject: [PATCH 09/14] Update windows_unusual_ntlm_authentication_users_by_destination.yml --- ...windows_unusual_ntlm_authentication_users_by_destination.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml index cbbe6f933c..089daddfbc 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml @@ -15,7 +15,7 @@ search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | `windows_unusual_ntlm_authentication_users_by_destination_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by dest | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std -| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` From bdc2b1c7e82eb7f6e0237aa38d89cca626905f9f Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:15:26 -0400 Subject: [PATCH 10/14] Update windows_unusual_ntlm_authentication_destinations_by_user.yml --- ...windows_unusual_ntlm_authentication_destinations_by_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml index 4bfb8b981b..c2042d89bc 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml @@ -15,7 +15,7 @@ search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | `windows_unusual_ntlm_authentication_destinations_by_user_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) as unique_count by user | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std -| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` From bcbff276a91010e8ab9faeed312486e69cc54987 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:16:17 -0400 Subject: [PATCH 11/14] Update windows_unusual_ntlm_authentication_users_by_source.yml --- .../windows_unusual_ntlm_authentication_users_by_source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml index a8120871ee..9bc1940f8c 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml @@ -15,7 +15,7 @@ search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=* | `windows_unusual_ntlm_authentication_users_by_source_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by src | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std -| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` From dc30b0934cf8589f2b4afbbf65e742324dda3a93 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:17:27 -0400 Subject: [PATCH 12/14] Update windows_multiple_ntlm_null_domain_authentications.yml --- .../windows_multiple_ntlm_null_domain_authentications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml index 596637e8ba..86293f790d 100644 --- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -15,7 +15,7 @@ search: '`ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NU | `windows_multiple_ntlm_null_domain_authentications_filter` | stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by dest | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std -| eval upperBound_unique=(unique_avg+unique_std*3) ``` adjust formula for sensitivity``` +| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) | where isOutlier==1 | `security_content_ctime(firstTime)` From 740651437df3744fca953c3290794a7496550125 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 15 Apr 2024 07:32:08 -0400 Subject: [PATCH 13/14] Update windows_multiple_ntlm_null_domain_authentications.yml --- .../windows_multiple_ntlm_null_domain_authentications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml index 86293f790d..89982e140a 100644 --- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -13,7 +13,7 @@ search: '`ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NU | eval dest = SChannelName, user = UserName ``` CIM alignment``` | where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications``` | `windows_multiple_ntlm_null_domain_authentications_filter` -| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by dest +| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count dc(eval(upper(src))) as src_count by dest | eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std | eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity``` | eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0) From 8d002b39ff6d113f6855bcafc0c3c3697b2ebf02 Mon Sep 17 00:00:00 2001 From: ljstella Date: Mon, 29 Jul 2024 10:32:32 -0500 Subject: [PATCH 14/14] Updated message field --- .../windows_multiple_ntlm_null_domain_authentications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml index 89982e140a..c33eb07a00 100644 --- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -34,7 +34,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 75 - message: The device [$dest$] was the target of $count$ NTLM authentications from $src_count$ sources using $user_count$ unique user accounts. + message: The device [$dest$] was the target of $count$ NTLM authentications from $src_count$ sources using $unique_count$ unique user accounts. mitre_attack_id: - T1110 - T1110.003