External Login Password Spray

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Identity Analytics

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Informational

Description

An abnormally high amount of user account login attempts were seen on a host within a short period of time.
This may have resulted from a login password spray attack.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Check the amount of time in between each login attempt.
  • Investigate the reason behind the login failures and if any accounts were locked out.
  • Look for any successful login attempts and the ratio of login success versus login failures.

Variations

Successful External Login Password Spray on a Domain Controller

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Medium

Description

An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Check the amount of time in between each login attempt.
  • Investigate the reason behind the login failures and if any accounts were locked out.
  • Look for any successful login attempts and the ratio of login success versus login failures.


Successful External Login Password Spray

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Low

Description

An abnormally high amount of user account login attempts were seen on a host within a short period of time.
This may have resulted from a login password spray attack.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Check the amount of time in between each login attempt.
  • Investigate the reason behind the login failures and if any accounts were locked out.
  • Look for any successful login attempts and the ratio of login success versus login failures.


External Login Password Spray on a Domain Controller

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Low

Description

An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Check the amount of time in between each login attempt.
  • Investigate the reason behind the login failures and if any accounts were locked out.
  • Look for any successful login attempts and the ratio of login success versus login failures.


External Login Password Spray on a sensitive server

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Medium

Description

An abnormally high amount of user account login attempts were seen on a sensitive server within a short period of time.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Check the amount of time in between each login attempt.
  • Investigate the reason behind the login failures and if any accounts were locked out.
  • Look for any successful login attempts and the ratio of login success versus login failures.