Synopsis
Description
An abnormally high amount of user account login attempts were seen from a host within a short period of time.
This may have resulted from a login password spray attack.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each authentication attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful authentication attempts and the ratio of login success versus login failures.
- Monitor for potential abuse of MFA on users who have successfully logged in.
Variations
Suspicious intensive and short internal Login Password Spray
Synopsis
Description
An abnormally high number of login attempts within a very short period of time and suspicious automated behavior.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each authentication attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful authentication attempts and the ratio of login success versus login failures.
- Monitor for potential abuse of MFA on users who have successfully logged in.
Internal Login Password Spray with many wrong password attempts
Synopsis
Description
An abnormally high amount of user account login attempts with wrong password were seen with a wrong password within a short period of time.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each authentication attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful authentication attempts and the ratio of login success versus login failures.
- Monitor for potential abuse of MFA on users who have successfully logged in.
Internal Login Password Spray attempt on local user
Synopsis
Description
An abnormally high number of login attempts with the same username to different domains or local machines within a short period of time.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each authentication attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful authentication attempts and the ratio of login success versus login failures.
- Monitor for potential abuse of MFA on users who have successfully logged in.
Internal Login Password Spray on many users
Synopsis
Description
An abnormally high amount of user account login attempts were seen from a host within a short period of time.
This may have resulted from a login password spray attack.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each authentication attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful authentication attempts and the ratio of login success versus login failures.
- Monitor for potential abuse of MFA on users who have successfully logged in.