Event id 8004 – Finding the Source of Windows Password Spraying Attacks

June 13, 2019

Password Spraying

Finding the source of Windows password spraying attacks can be daunting as the Event log does not provide the source IP of the machine making the calls.

Windows Event Logs

Ideally all of your Windows Event logs from your domain controllers should be going in to some type of SIEM. I will be using Graylog in this example.

In this case we will be looking for accounts with failed login attempts by looking at Event ID 8004 (which will actually log the true source computer).

Group Policy Configuration

To ensure that EventID 8004 is being logged you need to enable the following via Windows Group Policy (on the domain controllers):

Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
Network security: Restrict NTLM: Audit Incoming NTLM Traffic = Enable auditing for all accounts

Graylog Query

In my case the password spraying malware was always trying usernames with capital letters. This was my search query:

EventID:8004 AND UserName:/[A-Z0-9\s]+/

You should be sorting your data based on the UserName and stacking it with the field “SChannelName” and “Workstation name”

EventID 8004

I like the description of EventID 8004 from the book Windows Security Monitoring: Scenarios and Patterns By Andrei Miroshnikov:

8004 is a dedicated event for NTLM-family protocol credentials validation requests. It generates for both successful and unsuccessful authentication requests.

These are the important fields to look at

Secure Channel Name

Contains information about the authentication target/destination hostname.

Secure Channel Type

The type of secure channel through which the authentication request was received by the domain controller

User Name

Shows the name of the domain account for which credentials were validated

Workstation Name

Contains information about the source host from which an authentication request was received by the destination host

Packet Capture

Once you have identified the source machine you may want to take a packet capture to see the attack realtime. In this case I recommend taking a packet capture from the source machine or the domain controller where you found the corresponding EventID 8004 entries.

Microsoft Network Monitor

I recommend using Microsoft Network Monitor as it works well with Windows Domain Controllers

First configure the parser profile to Windows:

  1. Menu Tools -> Options
  2. Select tab “Parser Profiles”
  3. In the list, Select “Windows”
  4. Click the button “Set as Active”
  5. If you are running a capture restart it

If the attacking computer’s address resolved to this would be your query:

IPv4.Address == AND Description == "NRPC:NetrLogonSamLogonWithFlags Request, *Encrypted*"

Without Additional Software

If you want to take a packet capture without installing additional software (which is very handy for endpoints) you can use netsh.exe

Below is an example to take an 800 MB packet capture and save the output to C:\admin\capture\NetTrace2.etl

C:\windows\system32\Netsh.exe trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=800 fileMode=single correlation=yes traceFile=C:\admin\capture\NetTrace2.etl

If you want to stop the packet capture early you can run:

C:\windows\system32\netsh.exe trace stop

Additional Resources

Other noteworthy resources on this (more: