Detection rules › Splunk
Detect Password Spray Attack Behavior From Source
The following analytic identifies one source failing to authenticate with 10 or more unique users. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises and works well against any number of data sources ingested into the CIM datamodel. Environments can be very different depending on the organization. Test and customize this detections thresholds if needed.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
| Security-Auditing | 4625 | An account failed to log on. |
Stages and Predicates
Stage 1: tstats
tstats BY Authentication.action, Authentication.app, Authentication.authentication_method, Authentication.dest, Authentication.signature, Authentication.signature_id, Authentication.src, Authentication.user
Stage 2: search
search
Stage 3: eval
eval ... using (action, count, null)
Stage 4: stats
stats BY src
Stage 5: fields
fields _time
Stage 6: where
where .25> failed_dc> user_dc>=10
Stage 7: search
search
Stage 8: search
search
Stage 9: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
user_dc | ge |
|