Auth Log Hunting

Purpose and Scope

Authentication logs are among the most valuable data sources for detecting compromised credentials and lateral movement. This playbook covers hunting techniques for identifying unauthorized access, credential theft, and attacker movement across Windows, Linux, and cloud environments.

Prerequisites

• Log sources: Windows Security logs, Linux auth logs, Azure AD/Entra sign in logs, VPN logs
• SIEM access: Query capability across authentication data
• Baseline knowledge: Understanding of normal authentication patterns in your environment
• Asset inventory: Knowledge of critical systems and privileged accounts

Key Data Sources

Windows Authentication

• Event ID 4624: Successful logon
• Event ID 4625: Failed logon
• Event ID 4648: Explicit credential use (RunAs)
• Event ID 4672: Special privileges assigned (admin logon)
• Event ID 4768: Kerberos TGT request
• Event ID 4769: Kerberos service ticket request
• Event ID 4776: NTLM authentication

Linux Authentication

• /var/log/auth.log or /var/log/secure: SSH, sudo, su events
• Accepted/Failed password: SSH login attempts
• session opened/closed: User session management
• sudo commands: Privilege escalation events

Cloud Identity

• Azure AD sign in logs: Interactive and non interactive sign ins
• Azure AD audit logs: Account and group changes
• AWS CloudTrail: Console and API authentication
• Okta system logs: Authentication events and failures

Hunting Hypotheses

Credential Stuffing and Spraying

Attackers try many passwords against one account or one password against many accounts:

• Look for accounts with many failed logons in short period
• Look for single source IP failing against many accounts
• Identify spray patterns: same error, same time window, many targets

Splunk example:

index=wineventlog EventCode=4625
| stats count by src_ip, user, _time span=1h
| where count > 10
| sort -count

Impossible Travel

User authenticates from geographically distant locations in short time:

• Compare sequential logon locations for same user
• Flag authentications from different countries within hours
• Account for VPN and proxy usage in baseline

Unusual Logon Times

Legitimate users have patterns; attackers may not:

• Baseline normal working hours per user or group
• Flag after hours authentication to sensitive systems
• Watch for weekend access to systems typically idle

First Time Access

User or system accessing resource for first time may indicate compromise:

• First logon to a server by a user
• First remote access from a workstation
• New source IP for a user account

Lateral Movement Indicators

Pass the Hash / Pass the Ticket

Attackers use stolen credential material instead of passwords:

• NTLM authentication from unusual sources
• Kerberos ticket requests without corresponding TGT
• Same account authenticating to many systems in short time

RDP Lateral Movement

• Event 4624 with LogonType 10 (Remote Interactive)
• Chain of RDP sessions: A to B to C
• RDP from servers (servers should rarely initiate RDP)
• RDP to systems user has never accessed

SMB Lateral Movement

• Event 4624 with LogonType 3 (Network)
• Admin share access (C$, ADMIN$) from workstations
• Unusual account accessing file shares
• Service account authenticating interactively

WMI and PowerShell Remoting

• Event 4624 with LogonType 3 followed by process creation
• WinRM authentication events
• Remote PowerShell session establishment

Hunting Queries

Multiple Hosts Same Account (Lateral Movement)

Splunk:

index=wineventlog EventCode=4624 LogonType IN (3, 10)
| stats dc(dest) as unique_hosts values(dest) as hosts by user
| where unique_hosts > 5
| sort -unique_hosts

Admin Share Access

Splunk:

index=wineventlog EventCode=5140 ShareName IN ("\\*\C$", "\\*\ADMIN$")
| stats count by src_ip, user, ShareName, dest
| sort -count

Service Account Interactive Logon

Splunk:

index=wineventlog EventCode=4624 LogonType IN (2, 10) user=svc_*
| table _time, user, src_ip, dest, LogonType

Failed Logons Followed by Success

Splunk:

index=wineventlog EventCode IN (4625, 4624) 
| transaction user maxspan=10m
| search EventCode=4625 AND EventCode=4624
| table _time, user, src_ip, dest

Kerberos Specific Hunting

Kerberoasting

Attackers request service tickets to crack offline:

• Event 4769 for service accounts with RC4 encryption (0x17)
• Single user requesting tickets for many services
• Unusual account requesting service tickets

Golden Ticket

Forged TGT allows access to any resource:

• TGS requests without corresponding TGT request
• Tickets with unusual lifetimes
• Domain admin activity from unexpected sources

Validation and False Positives

• Service accounts: May legitimately touch many systems
• Administrators: IT staff may have broad access patterns
• Automated processes: Scheduled tasks and monitoring may create patterns
• VPN and proxy: May mask true source location

Build allowlists for known patterns and validate anomalies against IT records.

Escalation Guidance

Escalate to incident response when:

• Confirmed unauthorized access to systems
• Evidence of credential theft (mimikatz artifacts, LSASS access)
• Lateral movement pattern across multiple systems
• Privileged account compromise suspected
• Access to sensitive data or systems

References

• MITRE ATT&CK: Lateral Movement (TA0008)
• MITRE ATT&CK: Credential Access (TA0006)
• Microsoft Security Auditing documentation
• CISA: Detecting Lateral Movement
• SANS: Spotting the Adversary with Windows Event Log Monitoring