Windows Rapid Authentication On Multiple Hosts

name: Windows Rapid Authentication On Multiple Hosts
id: 62606c77-d53d-4182-9371-b02cdbbbcef7
version: 9
date: '2026-03-10'
author: Mauricio Velazco, Splunk
type: TTP
status: production
data_source:
    - Windows Event Log Security 4624
description: The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.
search: |-
    `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$"
      | bucket span=5m _time
      | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(dest) as dest values(src) as src values(user) as user
        BY _time, IpAddress, TargetUserName,
           action, app, authentication_method,
           signature, signature_id
      | where unique_targets > 30
      | `windows_rapid_authentication_on_multiple_hosts_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.
known_false_positives: Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.
references:
    - https://attack.mitre.org/techniques/T1135/
    - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
drilldown_searches:
    - name: View the detection results for - "$host_targets$"
      search: '%original_detection_search% | search  host_targets = "$host_targets$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$host_targets$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes.
    risk_objects:
        - field: host_targets
          type: system
          score: 50
    threat_objects:
        - field: IpAddress
          type: ip_address
tags:
    analytic_story:
        - Active Directory Privilege Escalation
        - Active Directory Lateral Movement
    asset_type: Endpoint
    mitre_attack_id:
        - T1003.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog