Detection rules › Splunk
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4776 | The domain controller attempted to validate the credentials for an account. |
Rule body splunk
name: Windows Unusual Count Of Users Failed To Authenticate Using NTLM
id: 6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4
version: 12
creation_date: '2021-04-14'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
description: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.
data_source:
- Windows Event Log Security 4776
search: |-
`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A
| bucket span=2m _time
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts values(dest) as dest
BY _time, Workstation
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
BY Workstation
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
| search isOutlier=1
| `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.
known_false_positives: A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
drilldown_searches:
- name: View the detection results for - "$Workstation$"
search: '%original_detection_search% | search Workstation = "$Workstation$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Workstation$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: Workstation
type: system
score: 20
message: Potential NTLM based password spraying attack from $Workstation$
analytic_story:
- Active Directory Password Spraying
- Volt Typhoon
asset_type: Endpoint
mitre_attack_id:
- T1110.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
name: True Positive Test
test_type: unit
Stages and Predicates
Stage 1: search
`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A
Stage 2: bucket
| bucket span=2m _time
Stage 3: stats
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts values(dest) as dest
BY _time, Workstation
Stage 4: eventstats
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
BY Workstation
Stage 5: eval
| eval upperBound=(comp_avg+comp_std*3)
Stage 6: eval
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
isOutlier =if
unique_accounts > 10 AND unique_accounts >= upperBound1else
0Stage 7: search
| search isOutlier=1
Stage 8: search
| `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Status | eq |
|
TargetUserName | ne |
|
isOutlier | eq |
|