Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Detect Username Guessing Brute Force Attacks

Monitoring WinEventLog:Security

Description

Submitted by DaveyBoy

The below will detect a form of brute force which most will miss. Whereas other scripts detect multiple logins against a single account, they fail to detect 4 failed logins against 40 accounts. This first checks for all accounts having an account login failure of 4 or more, it then checks for the quantity of accounts that have failed by 4 or more (5 in the below example). So if someone attempts to login with 4 or more different passwords unsuccessfully on 5 or more accounts, the alarm will trip.
29 0 
sourcetype=windows EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:" 
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=4
 | stats dc(username) as Total by minute 
 | where Total>5
 

Comments

4 total

JO
John
4/30/2019

I like it, but these are the modifications I made to resolve some issues I had and output more information about the accounts involved. Cleans up the time also. \r\n\r\nsourcetype=wineventlog EventCode=4625 OR EventCode=4624\r\n| bin _time span=5m as minute \r\n| stats count(Keywords) as Attempts,\r\n count(eval(match(Keywords,\"Audit Failure\"))) as Failed,\r\n count(eval(match(Keywords,\"Audit Success\"))) as Success by minute user\r\n| where Failed&gt;=4\r\n |stats values(user) AS userlist dc(user) AS Total BY minute\r\n | where Total&gt;5\r\n | eval minute=strftime(minute,\"%m/%d/%y %H:%M:%S\")

AL
Alejandro
11/18/2019

How to group by source address? Thank you.

DA
DaveyBoy Author
11/20/2019

You just need to drill into each user independently and finish with a \r\n\r\n| stats count by host\r\n\r\nor\r\n\r\n| stats count by Source_Network_Address\r\n\r\nIt depends where its failing.\r\n\r\nsource=\"wineventlog:security\" EventCode=4625 \r\n| rex \"Account For Which Logon Failed:\s*Security ID:\s*(?.*)\s*Account Name:\s*(?.*)\s*Account Domain:\s*(?.*)\s*Fail\"\r\n| stats count by host accountName\r\n| sort count desc\r\n\r\nThis will tell you which account has failed and the machine it failed on. If it was attempting to connect to a network resource change the stats count to \"stats count by Source_Network_Address accountName\" and that should give you the offending host.

BR
Brian
4/20/2020

Brute for login attempts against \"Known Usernames\" vs \"Username Guessing\" are uniquely different circumstances... because if the \"Username\" is Not Valid -- the Event Code 4625 (Failed Login) can tell you this much more easily via the SubStatus code. Thus significantly reducing false positives an search overhead for other failed logons.\r\n\r\n0xC0000064 = user name does not exist\r\n\r\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625\r\n\r\nHowever if you have \"Known Usernames\" and \"Password Guessing\"... then the general use case for your search (i.e. multiple failed logon events) is still valid.

Leave a comment

You must log in to post a comment.

Ad slot: bottom