security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

Nterl0k - T1110.003 NTLM Bruteforce

Open nterl0k opened this issue 11 months ago • 0 comments

Details

A set of detections bult to detect anomalous behaviors using the NTLM Operational via organization domain controllers.

  • https://www.varonis.com/blog/investigate-ntlm-brute-force
  • https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191
  • https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827

Pending https://github.com/splunk/attack_data/pull/887

Checklist

  • [ ] Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • [ ] CI/CD jobs passed ✔️
  • [ ] Validated SPL logic.
  • [ ] Validated tags, description, and how to implement.
  • [ ] Verified references match analytic.

nterl0k avatar Mar 16 '24 15:03 nterl0k