Created
March 23, 2020 19:48
-
-
Save faststeak/66918caaf6a0d7e9fcd818515ae63252 to your computer and use it in GitHub Desktop.
Splunk Search for finding password spray - useful for "Jacked directly into the matrix"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=winevents sourcetype=WinEventLog:Security EventCode=4625 NOT(user=*$ OR host="insert Domain Controllers here") Failure_Reason="Unknown user name or bad password." | |
| | bin span=30m _time | |
| | stats min(_time) as firstTime max(_time) as lastTime count dc(user) as user_count values(user) as user_logon_attempts values(Source_Network_Address) as Source_Network_Addresses by host Logon_Type Failure_Reason | |
| | fields firstTime lastTime host Logon_Type Failure_Reason user_count user_logon_attempts Source_Network_Addresses | |
| | convert ctime(firstTime), ctime(lastTime) | |
| | where user_count>50 | |
| | eval user_logon_attempts=mvjoin(user_logon_attempts, ", ") | |
| | eval user_logon_attempts=substr(user_logon_attempts, 0, 500) | |
| | eval user_logon_attempts=user_logon_attempts."................." | |
| | eval Source_Network_Addresses=mvjoin(Source_Network_Addresses, "| -AND- |") | |
| | eval rule_impact="medium" | |
| | eval rule_confidence="medium" | |
| | eval mitre_id="T1110" | |
| | eval description="Possible Password Spray Attack against host \"".host."\"" | |
| | eval useful_fields="Logon_Type=".Logon_Type."|Failure_Reason=\"".Failure_Reason."\"|user_count=".user_count."|user_logon_attempts=\"".user_logon_attempts."\"|Source_Network_Addresses=\"".Source_Network_Addresses."\"" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment