| ID | Technique | Tactic |
|---|---|---|
| T1110.003 | Password Spraying | Credential Access |
Detection: Detect Password Spray Attack Behavior On User
Description
The following analytic identifies any user failing to authenticate from 10 or more unique sources. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises. Environments can be very different depending on the organization. Test and customize this detections thresholds as needed
Search
1
2| tstats `security_content_summariesonly` max(_time) as lastTime, min(_time) as firstTime, values(Authentication.user_category) as user_category values(Authentication.src_category) as src_category values(Authentication.app) as app count FROM datamodel=Authentication.Authentication
3 BY Authentication.action Authentication.app Authentication.authentication_method
4 Authentication.dest Authentication.signature Authentication.signature_id
5 Authentication.src Authentication.user
6
7| `drop_dm_object_name("Authentication")`
8
9| eval user=case((match(upper(user),"[a-zA-Z0-9]{3}")),upper(user),true(),null), success=if(action="success",count,0), src=upper(src), success_src=if(action="success",src,null), failure=if(action="failure",count,0), failed_src=if(action="failure",src,null)
10
11| stats count min(firstTime) as firstTime max(lastTime) as lastTime values(app) as app values(src_category) as src_category values(success_src) as src values(failed_src) as failed_src dc(success_src) as success_dc dc(failed_src) as failed_dc dc(src) as src_dc, sum(failure) as failure, sum(success) as success
12 BY user
13
14| fields - _time
15
16| where src_dc >= 10 AND .25 > (success/failure) AND failed_dc > success_dc
17
18| `security_content_ctime(firstTime)`
19
20| `security_content_ctime(lastTime)`
21
22| `detect_password_spray_attack_behavior_on_user_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4625 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Security' |
| Windows Event Log Security 4624 | Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| detect_password_spray_attack_behavior_on_user_filter | search * |
detect_password_spray_attack_behavior_on_user_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | Yes |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
This detection requires ingesting authentication data to the appropriate accelerated datamodel. Recommend adjusting the search time window for this correlation to match the number of unique users (user_dc) in hours. i.e. 10 users over 10hrs
Known False Positives
Domain controllers, authentication chokepoints, and vulnerability scanners.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| A total of $src_dc$ distinct sources attempted to access the account [$user$], $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful logins detected. | user | user | 50 |
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| A total of $src_dc$ distinct sources attempted to access the account [$user$], $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful logins detected. | src | system | 50 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 12