EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials

The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.

MITRE ATT&CK

T1110.003

Detection Query

`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$
  | bucket span=5m _time
  | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user values(dest) as dest values(src_ip) as src_ip
    BY _time, Computer, Caller_User_Name
  | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
    BY Computer
  | eval upperBound=(comp_avg+comp_std*3)
  | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
  | search isOutlier=1
  | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`

Author

Mauricio Velazco, Splunk

Created

2026-03-10

Data Sources

Windows Event Log Security 4648

References

Tags

Active Directory Password SprayingInsider ThreatVolt Typhoon
Raw Content
name: Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
id: 14f414cf-3080-4b9b-aaf6-55a4ce947b93
type: Anomaly
version: 10
status: production
date: '2026-03-10'
author: Mauricio Velazco, Splunk
data_source:
    - Windows Event Log Security 4648
description: The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.
known_false_positives: A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.
references:
    - https://attack.mitre.org/techniques/T1110/003/
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
search: |-
    `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$
      | bucket span=5m _time
      | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user values(dest) as dest values(src_ip) as src_ip
        BY _time, Computer, Caller_User_Name
      | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
        BY Computer
      | eval upperBound=(comp_avg+comp_std*3)
      | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0)
      | search isOutlier=1
      | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`
rba:
    message: Potential password spraying attack from $Computer$
    risk_objects:
        - field: user
          type: user
          score: 20
        - field: Computer
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Active Directory Password Spraying
        - Insider Threat
        - Volt Typhoon
    asset_type: Endpoint
    mitre_attack_id:
        - T1110.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      name: True Positive Test