Detection rules › Splunk
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4776 | The domain controller attempted to validate the credentials for an account. |
Rule body splunk
name: Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
id: 15603165-147d-4a6e-9778-bd0ff39e668f
version: 12
creation_date: '2021-04-14'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
description: The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.
data_source:
- Windows Event Log Security 4776
search: |-
`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064
| bucket span=2m _time
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user values(dest) as dest
BY _time, Workstation
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
BY Workstation
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
| search isOutlier=1
| rename Workstation as src
| `windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.
known_false_positives: A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: user
type: user
score: 20
message: Potential NTLM based password spraying attack from $src$
- field: src
type: system
score: 20
message: Potential NTLM based password spraying attack from $src$
analytic_story:
- Active Directory Password Spraying
- Volt Typhoon
asset_type: Endpoint
mitre_attack_id:
- T1110.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
name: True Positive Test
test_type: unit
Stages and Predicates
Stage 1: search
`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064
Stage 2: bucket
| bucket span=2m _time
Stage 3: stats
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user values(dest) as dest
BY _time, Workstation
Stage 4: eventstats
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
BY Workstation
Stage 5: eval
| eval upperBound=(comp_avg+comp_std*3)
Stage 6: eval
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
isOutlier =if
unique_accounts > 10 AND unique_accounts >= upperBound1else
0Stage 7: search
| search isOutlier=1
Stage 8: rename
| rename Workstation as src
Stage 9: search
| `windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Status | eq |
|
TargetUserName | ne |
|
isOutlier | eq |
|