Detection rules › Splunk
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4648 | A logon was attempted using explicit credentials. |
Rule body splunk
name: Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
id: 14f414cf-3080-4b9b-aaf6-55a4ce947b93
version: 12
creation_date: '2021-04-14'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
description: The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
data_source:
- Windows Event Log Security 4648
search: |-
`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$
| bucket span=5m _time
| stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user values(dest) as dest values(src_ip) as src_ip
BY _time, Computer, Caller_User_Name
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
BY Computer
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
| search isOutlier=1
| `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.
known_false_positives: A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: user
type: user
score: 20
message: Potential password spraying attack from $Computer$
- field: Computer
type: system
score: 20
message: Potential password spraying attack from $Computer$
analytic_story:
- Active Directory Password Spraying
- Insider Threat
- Volt Typhoon
asset_type: Endpoint
mitre_attack_id:
- T1110.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
name: True Positive Test
test_type: unit
Stages and Predicates
Stage 1: search
`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$
Stage 2: bucket
| bucket span=5m _time
Stage 3: stats
| stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user values(dest) as dest values(src_ip) as src_ip
BY _time, Computer, Caller_User_Name
Stage 4: eventstats
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
BY Computer
Stage 5: eval
| eval upperBound=(comp_avg+comp_std*3)
Stage 6: eval
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
isOutlier =if
unique_accounts > 10 AND unique_accounts >= upperBound1else
0Stage 7: search
| search isOutlier=1
Stage 8: search
| `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Caller_User_Name | ne |
|
EventCode | eq |
|
Target_User_Name | ne |
|
isOutlier | eq |
|