The beauty of this detection is you just need to get logs from your domain controllers.
In layman's terms after you've authenticated into a Windows domain on computer A and try to access some resource on some other domain system (computer B), computer B reaches out to a domain controller to ask if you are legit. You have to dive into Window security events 673 or 4769 and extract the information. The user account/account name is the name of the account trying to access the computer in the service name portion. The thing to do then is to count the distinct number of systems (service name) there are per user name. If that is a reasonably high number in a short period of time there is a good chance something is up with the that user name/computer where the user name is based. That query in Splunk looks something like this
sourcetype="WinEventLog:Security" EventCode=4769 OR EventCode=673 NOT Service_Name="krbtgt" Service_Name=*$ | eval usr_name=coalesce(User_Name,Account_Name) | rex field=usr_name "(?\S[^@]+)" | eval Domain=coalesce(User_Domain,Account_Domain)| stats dc(Service_Name) AS Unique_Systems values(Service_Name) AS Systems_List by user_name, Domain, index, EventCode | sort -Unique_Systems | where Unique_Systems > 10
You probably want to cut out your server space - at least your DCs and fileshare servers as your desktop systems will be reaching out to those normally. I have the final output list a couple things to help troubleshoot your top detections. Hope this is helpful.
Any ways to make this more efficient/better?
No comments:
Post a Comment