Threat Hunting Use Case: Windows Authentication Attacks

Previously, we discussed the threat hunting use case Windows Authentication Hygiene, which reviewed hygiene and best practices to follow within the environment as well as how to determine an expected baseline of activity. The objective of the prior hunt campaign was to remove as much noise as possible that would hinder detection of actual attacks in addition to establishing a baseline for authentication traffic to assist with understanding what normal looks like and increase the ability to detect when an abnormal event occurs. This brings us to the threat hunting use case Windows Authentication Attacks which focuses on more granular tactics, techniques, and procedures (TTPs) that follow MITRE ATT&CK framework.

Building upon your previous threat hunts

Threat hunting is an active form of cyber defense that allows your team to proactively identify abnormal behavior or vulnerabilities and mitigate these before any harm is done.  But how do you know what to hunt for? Knowing where to begin and what to look for can be the greatest challenge; that’s why we’re sharing a series of the threat hunting use cases we use, developed and refined by our Research and Development teams over years and across different environments, to help you get started and mature your threat hunting program.  

When first developing a threat hunting use case, we look at tactics and techniques mapped to the MITRE ATT&CK framework and associate them to log sources that would output indicators of that attack. An example for our Windows Authentication Attack use case would be Steal or Forge Kerberos Tickets (T1558) and Brute Force (T1110), both of which are mapped to MITRE ATT&CK. We call these the “Threat Analysis” objectives or outcomes for our use case.

While the purpose of this hunt use case is to identify evidence of attack activity it is always important to identify hygiene issues. This ensures that vulnerabilities are being patched and addressed during the hunt to prevent attacks from being successful in the future.

Use Case: Windows Authentication Attacks

Objective: Common attack vectors that affect user accounts include password spraying, social engineering, and brute force. Compromised account credentials are also one of the most common ways a threat actor can obtain access to an environment. This hunt is designed to search for more sophisticated authentication-based attacks that would fall out of the scope of standard rule logic.

Log Source & Requirements: Windows Security Event Logs

Duration: 30-90 Days

Related MITRE Techniques: T1078, T1110, T1558, T1098, T1550, T1136


Threat Analysis

What to look for Why?
Look for spikes of failed logons (Event ID 4625) originating from a single source targeting one or multiple accounts. An attacker may attempt to brute force account credentials by attacks like password spraying (attempting a few common passwords against multiple accounts) or password guessing (attempting many passwords against one or multiple accounts).
Review account successful logons (Event ID 4624) where the logon type is 3 and the authentication protocol is NTLM accompanied by event IDs 4672 and 4776. This could be an indicator of Pass the Hash which is a common technique used by attackers to authenticate and carry out actions on remote systems using stolen password hashes.
Review trends for authentication attempts with the event ID 4672 “Special privileges assigned to new logon” to identify abnormal accounts with elevated permissions or administrator accounts accessing irregular systems. An attacker will need to gain administrator level privileges, either by elevating permissions for a standard user account or obtaining credentials for an existing privileged account, in order to perform actions on systems and move laterally in a network.
Audit (Event ID 4720) “A user account was created” to identify any abnormal account creations. Account creation is a common method used by attackers to maintain persistence on a system or within the network.
Search for excessive Kerberos services requested by a single source by reviewing event ID 4769 with RC4 encryption (0x17), to identify possible evidence of Kerberoasting Kerberoasting is a method used to gain access to plain text passwords for service accounts by requesting RC4 encrypted Kerberos service tickets which are susceptible to offline brute force cracking.
Review process names for any unusually named processes or processes that are not regularly seen generating logon requests. This search will identify when suspicious processes are running which could reveal unauthorized processes or applications such as malware being used to authenticate within the environment.

Make threat hunting a reality at your organization with ReliaQuest GreyMatter.

By aggregating and normalizing your data from disparate tools, such as SIEM, EDR, multi-cloud, and third-party applications, ReliaQuest GreyMatter allows your team to run focused hunt campaigns, both packaged and freeform that are strategic and iterative. Use ReliaQuest GreyMatter to analyze indicators of compromise retrospectively or perform behavior assessments to visualize abnormal from normal activity.

To learn more about building a threat hunting program at your organization, check out our blog, “5 Threat Hunting Guidelines to Transition Your Team From Reactive to Proactive.”  Missed our previous threat hunting use cases? Be sure to check out our use cases that cover Firewall Targeting DNS and Windows Authentication Hygiene. And stay tuned for our next threat hunting use case in the series!