Web Fraud - Password Sharing Across Accounts

Try in Splunk Security Cloud

Description

This search is used to identify user accounts that share a common password.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2018-10-08
• Author: Jim Apger, Splunk
• ID: 31337a1a-53b9-4e05-96e9-55c934cb71d3

Annotations

ATT&CK

Kill Chain Phase

• Exploitation

NIST

• DE.DP

CIS20

• CIS 16

CVE

Search

`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost*  
| rex field=form_data "login\[username\]=(?<Username>[^&
|^$]+)" 
| rex field=form_data "login\[password\]=(?<Password>[^&
|^$]+)" 
| stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password
|where UniqueUsernames>5 
| `web_fraud___password_sharing_across_accounts_filter`

Macros

The SPL above uses the following Macros:

• stream_http

web_fraud_-_password_sharing_across_accounts_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

• _time
• http_content_type
• uri

How To Implement

We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.

Known False Positives

As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.

Associated Analytic story

• Web Fraud Detection

RBA

Risk Score	Impact	Confidence	Message
25.0	50	50	tbd

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://en.wikipedia.org/wiki/Session_ID
• https://en.wikipedia.org/wiki/Session_(computer_science)
• https://en.wikipedia.org/wiki/HTTP_cookie
• https://splunkbase.splunk.com/app/1809/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1