sigmamediumHunting

NTLM Brute Force

Detects common NTLM brute force device names

MITRE ATT&CK

credential-access

Detection Query

selection:
  EventID: 8004
devicename:
  WorkstationName:
    - Rdesktop
    - Remmina
    - Freerdp
    - Windows7
    - Windows8
    - Windows2012
    - Windows2016
    - Windows2019
condition: selection and devicename

Author

Jerry Shockley '@jsh0x'

Created

2022-02-02

Data Sources

windowsntlm

Platforms

windows

References

https://www.varonis.com/blog/investigate-ntlm-brute-force

Tags

attack.credential-accessattack.t1110

Raw Content

title: NTLM Brute Force
id: 9c8acf1a-cbf9-4db6-b63c-74baabe03e59
status: test
description: Detects common NTLM brute force device names
references:
    - https://www.varonis.com/blog/investigate-ntlm-brute-force
author: Jerry Shockley '@jsh0x'
date: 2022-02-02
tags:
    - attack.credential-access
    - attack.t1110
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8004
    devicename:
        WorkstationName:
            - 'Rdesktop'
            - 'Remmina'
            - 'Freerdp'
            - 'Windows7'
            - 'Windows8'
            - 'Windows2012'
            - 'Windows2016'
            - 'Windows2019'
    condition: selection and devicename
falsepositives:
    - Systems with names equal to the spoofed ones used by the brute force tools
level: medium