| ID | Technique | Tactic |
|---|---|---|
| T1110.003 | Password Spraying | Credential Access |
Detection: Detect Password Spray Attempts
Description
This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.
Search
1
2| tstats `security_content_summariesonly` values(Authentication.user) AS unique_user_names dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" NOT Authentication.src IN ("-","unknown") by Authentication.action Authentication.app Authentication.authentication_method Authentication.dest
3 Authentication.signature Authentication.signature_id Authentication.src sourcetype _time span=5m
4
5| `drop_dm_object_name("Authentication")`
6 ```fill out time buckets for 0-count events during entire search length```
7
8| appendpipe [
9| timechart limit=0 span=5m count
10| table _time]
11| fillnull value=0 unique_accounts
12 ``` Create aggregation field & apply to all null events```
13
14| eval counter=src+"__"+sourcetype+"__"+signature_id
15| eventstats values(counter) as fnscounter
16| eval counter=coalesce(counter,fnscounter)
17 ``` stats version of mvexpand ```
18
19| stats values(app) as app values(unique_user_names) as unique_user_names values(total_failures) as total_failures values(src) as src values(signature_id) as signature_id values(sourcetype) as sourcetype count by counter unique_accounts _time
20 ``` remove duplicate time buckets for each unique source```
21
22| sort - _time unique_accounts
23| dedup _time counter
24 ```Find the outliers```
25
26| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter
27| eval upperBound=(comp_avg+comp_std*3)
28| eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0)
29| replace "::ffff:*" with * in src
30| where isOutlier=1
31| foreach *
32 [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)]
33
34| table _time, src, action, app, unique_accounts, unique_user_names, total_failures, sourcetype, signature_id, counter
35| `detect_password_spray_attempts_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4625 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| detect_password_spray_attempts_filter | search * |
detect_password_spray_attempts_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | No |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. This search opporates best on a 5 minute schedule, looking back over the past 70 minutes. Configure 70 minute throttling on the two fields _time and counter.
Known False Positives
No false positives have been identified at this time.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. | unique_user_names | user | 50 |
Threat Objects
| Field | Type |
|---|---|
| src | system |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 12