Windows Rapid Authentication On Multiple Hosts

name: Windows Rapid Authentication On Multiple Hosts
id: 62606c77-d53d-4182-9371-b02cdbbbcef7
version: 11
creation_date: '2023-03-23'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.
data_source:
    - Windows Event Log Security 4624
search: |-
    `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$"
      | bucket span=5m _time
      | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(dest) as dest values(src) as src values(user) as user
        BY _time, IpAddress, TargetUserName,
           action, app, authentication_method,
           signature, signature_id
      | where unique_targets > 30
      | `windows_rapid_authentication_on_multiple_hosts_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.
known_false_positives: Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.
references:
    - https://attack.mitre.org/techniques/T1135/
    - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
drilldown_searches:
    - name: View the detection results for - "$host_targets$"
      search: '%original_detection_search% | search  host_targets = "$host_targets$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$host_targets$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes.
    entity:
        field: host_targets
        type: system
        score: 50
threat_objects:
    - field: IpAddress
      type: ip_address
analytic_story:
    - Active Directory Privilege Escalation
    - Active Directory Lateral Movement
asset_type: Endpoint
mitre_attack_id:
    - T1003.002
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit