Detection rules › Splunk
Detect Password Spray Attack Behavior On User
The following analytic identifies any user failing to authenticate from 10 or more unique sources. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises. Environments can be very different depending on the organization. Test and customize this detections thresholds as needed
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
| Security-Auditing | 4625 | An account failed to log on. |
Stages and Predicates
Stage 1: tstats
tstats BY Authentication.action, Authentication.app, Authentication.authentication_method, Authentication.dest, Authentication.signature, Authentication.signature_id, Authentication.src, Authentication.user
Stage 2: search
search
Stage 3: eval
eval ... using (action, count, null)
Stage 4: stats
stats BY user
Stage 5: fields
fields _time
Stage 6: where
where .25> failed_dc> src_dc>=10
Stage 7: search
search
Stage 8: search
search
Stage 9: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
src_dc | ge |
|