splunk · patel-bhavin · Aug 6, 2024 · Mar 16, 2024 · Mar 16, 2024 · Mar 18, 2024
@@ -0,0 +1,63 @@
+name: Windows Multiple NTLM Null Domain Authentications
+id: c187ce2c-c88e-4cec-8a1c-607ca0dedd78
+version: 1
+date: '2024-03-16'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device
+data_source:
+- NTLM Operational 8004,8005,8006
+search: '`ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NULL
+| eval src = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some auth attempts ```
+| eval dest = SChannelName, user = UserName ``` CIM alignment```
+| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications```
+| `windows_multiple_ntlm_null_domain_authentications_filter`
+| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count dc(eval(upper(src))) as src_count by dest
+| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std
+| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity```
+| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0)
+| where isOutlier==1
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`'
+how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006.
+known_false_positives: Applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191
+- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827
+- https://www.varonis.com/blog/investigate-ntlm-brute-force
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f
+tags:
+  analytic_story:
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  confidence: 100
+  impact: 75
+  message: The device [$dest$] was the target of $count$ NTLM authentications from $src_count$ sources using $unique_count$ unique user accounts.
+  mitre_attack_id:
+  - T1110
+  - T1110.003
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - DomainName
+  - Security
+  - WorkstationName
+  risk_score: 50
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log
+    source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,63 @@
+name: Windows Unusual NTLM Authentication Destinations By Source
+id: ae9b0df5-5fb0-477f-abc9-47faf42aa91d
+version: 1
+date: '2024-03-16'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when an unusual number NTLM authentications is attempted by the same source against multiple destinations. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a multiple domain joined Windows devices using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well.
+data_source:
+- NTLM Operational 8004,8005,8006
+search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=*
+| eval src = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some auth attempts ```
+| eval dest = SChannelName, user = UserName ``` CIM alignment```
+| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ```
+| `windows_unusual_ntlm_authentication_destinations_by_source_filter`
+| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) as unique_count by src
+| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std
+| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity```
+| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0)
+| where isOutlier==1
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`'
+how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006.
+known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191
+- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827
+- https://www.varonis.com/blog/investigate-ntlm-brute-force
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f
+tags:
+  analytic_story:
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  confidence: 100
+  impact: 25
+  message: The device [$src$] attempted $count$ NTLM authentications against $unique_count$ destinations.
+  mitre_attack_id:
+  - T1110
+  - T1110.003
+  observable:
+  - name: src
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - DomainName
+  - Security
+  - WorkstationName
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log
+    source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,63 @@
+name: Windows Unusual NTLM Authentication Destinations By User
+id: a4d86702-402b-4a4f-8d06-9d61e6c39cad
+version: 1
+date: '2024-03-16'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when an unusual number of NTLM authentications is attempted by the same user account against multiple destinations. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to numerous domain joined Windows devices using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well.
+data_source:
+- NTLM Operational 8004,8005,8006
+search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=*
+| eval src = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some auth attempts ```
+| eval dest = SChannelName, user = UserName ``` CIM alignment```
+| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ```
+| `windows_unusual_ntlm_authentication_destinations_by_user_filter`
+| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(dest))) as unique_count by user
+| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std
+| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity```
+| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0)
+| where isOutlier==1
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`'
+how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006.
+known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191
+- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827
+- https://www.varonis.com/blog/investigate-ntlm-brute-force
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f
+tags:
+  analytic_story:
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  confidence: 100
+  impact: 25
+  message: The user [$user$] attempted $count$ NTLM authentications against $unique_count$ destinations.
+  mitre_attack_id:
+  - T1110
+  - T1110.003
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - DomainName
+  - Security
+  - WorkstationName
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log
+    source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,63 @@
+name: Windows Unusual NTLM Authentication Users By Destination
+id: 1120a204-8444-428b-8657-6ea4e1f3e840
+version: 1
+date: '2024-03-16'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when a device is the target of numerous NTLM authentications using a null domain. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device from a non-domain device. This activity may also generate a large number of EventID 4776 events in tandem, however these events will not indicate the attacker or target device.
+data_source:
+- NTLM Operational 8004,8005,8006
+search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=*
+| eval src = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some auth attempts ```
+| eval dest = SChannelName, user = UserName ``` CIM alignment```
+| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ```
+| `windows_unusual_ntlm_authentication_users_by_destination_filter`
+| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by dest
+| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std
+| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity```
+| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0)
+| where isOutlier==1
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`'
+how_to_implement: The following analytic detects when an unusual number of NTLM authentications is attempted against the same destination. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events as well.
+known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191
+- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827
+- https://www.varonis.com/blog/investigate-ntlm-brute-force
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f
+tags:
+  analytic_story:
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  confidence: 100
+  impact: 25
+  message: The device [$dest$] was the target of $count$ NTLM authentications using $unique_count$ unique user accounts.
+  mitre_attack_id:
+  - T1110
+  - T1110.003
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - DomainName
+  - Security
+  - WorkstationName
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log
+    source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,63 @@
+name: Windows Unusual NTLM Authentication Users By Source
+id: 80fcc4d4-fd90-488e-b55a-4e7190ae6ce2
+version: 1
+date: '2024-03-16'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when an unusual number of NTLM authentications is attempted by the same source. This activity generally results when an attacker attempts to brute force, password spray, or otherwise authenticate to a domain joined Windows device using an NTLM based process/attack. This same activity may also generate a large number of EventID 4776 events in as well.
+data_source:
+- NTLM Operational 8004,8005,8006
+search: '`ntlm_audit` EventCode = 8004 SChannelName=* WorkstationName=*
+| eval src = replace(WorkstationName,"\\\\","")  ```CIM alignment, remove leading \\ from some auth attempts ```
+| eval dest = SChannelName, user = UserName ``` CIM alignment```
+| where SChannelName!=src ``` Remove NTLM auths to self, improves accuracy for certain applications ```
+| `windows_unusual_ntlm_authentication_users_by_source_filter`
+| stats count min(_time) as firstTime max(_time) as lastTime dc(eval(upper(user))) as unique_count by src
+| eventstats avg(unique_count) as unique_avg , stdev(unique_count) as unique_std
+| eval upperBound_unique=(1+unique_avg+unique_std*3) ``` adjust formula for sensitivity```
+| eval isOutlier=CASE(unique_count > upperBound_unique, 1, true(), 0)
+| where isOutlier==1
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`'
+how_to_implement: The following analytic requires that NTLM Operational logs to be imported from the environment Domain Controllers. This requires configuration of specific auditing settings, see Microsoft references for further guidance. This analytic is specific to EventID 8004~8006.
+known_false_positives: Vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. Recommend adjusting the upperBound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191
+- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827
+- https://www.varonis.com/blog/investigate-ntlm-brute-force
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f
+tags:
+  analytic_story:
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  confidence: 100
+  impact: 25
+  message: The device [$src$] attempted $count$ NTLM authentications using $unique_count$ user accounts.
+  mitre_attack_id:
+  - T1110
+  - T1110.003
+  observable:
+  - name: src
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - DomainName
+  - Security
+  - WorkstationName
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log
+    source: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,3 @@
+definition: sourcetype=XmlWinEventLog:Microsoft-Windows-NTLM/Operational OR source=XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+description: Customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.
+name: ntlm_audit