Detection rules › Splunk
Windows Unusual Count Of Users Remotely Failed To Auth From Host
The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4625 | An account failed to log on. |
Rule body splunk
name: Windows Unusual Count Of Users Remotely Failed To Auth From Host
id: cf06a0ee-ffa9-4ed3-be77-0670ed9bab52
version: 12
creation_date: '2021-04-14'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
description: The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network.
data_source:
- Windows Event Log Security 4625
search: |-
`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-"
| bucket span=2m _time
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts values(dest) as dest values(src) as src values(user) as user
BY _time, IpAddress, Computer,
action, app, authentication_method,
signature, signature_id
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
BY IpAddress, Computer
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
| search isOutlier=1
| `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.
known_false_positives: A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
drilldown_searches:
- name: View the detection results for - "$Computer$"
search: '%original_detection_search% | search Computer = "$Computer$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: Computer
type: system
score: 20
message: Potential password spraying attack on $Computer$
analytic_story:
- Active Directory Password Spraying
- Volt Typhoon
asset_type: Endpoint
mitre_attack_id:
- T1110.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
name: True Positive Test
test_type: unit
Stages and Predicates
Stage 1: search
`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-"
Stage 2: bucket
| bucket span=2m _time
Stage 3: stats
| stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts values(dest) as dest values(src) as src values(user) as user
BY _time, IpAddress, Computer,
action, app, authentication_method,
signature, signature_id
Stage 4: eventstats
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
BY IpAddress, Computer
Stage 5: eval
| eval upperBound=(comp_avg+comp_std*3)
Stage 6: eval
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
isOutlier =if
unique_accounts > 10 AND unique_accounts >= upperBound1else
0Stage 7: search
| search isOutlier=1
Stage 8: search
| `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
IpAddress | ne |
|
Logon_Type | eq |
|
isOutlier | eq |
|