Detect Password Spray Attempts

Try in Splunk Security Cloud

Description

This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication
• Last Updated: 2023-11-01
• Author: Dean Luxton
• ID: 086ab581-8877-42b3-9aee-4a7ecb0923af

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1110.003	Password Spraying	Credential Access

T1110

Brute Force

Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time  span=2m 
| `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` 
| appendpipe [
| timechart limit=0 span=5m count 
| table _time] 
| fillnull value=0 unique_accounts, unique_src ``` remove duplicate & empty time buckets``` 
| sort - total_failures 
| dedup _time ``` Create aggregation field & apply to all null events``` 
| eval counter=src+"__"+sourcetype+"__"+signature_id 
| eventstats values(counter) as fnscounter 
| eval counter=coalesce(counter,fnscounter) 
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter 
| eval upperBound=(comp_avg+comp_std*3) 
| eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0) 
| replace "::ffff:*" with * in src 
| where isOutlier=1 
| foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
| table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id 
| `detect_password_spray_attempts_filter`

Macros

The SPL above uses the following Macros:

• security_content_summariesonly

detect_password_spray_attempts_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Authentication.action
• Authentication.user
• Authentication.src

How To Implement

Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly.

Known False Positives

Unknown

Associated Analytic Story

• Compromised User Account
• Active Directory Password Spraying

RBA

Risk Score	Impact	Confidence	Message
49.0	70	70	Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1110/003/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1