Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An abnormally high amount of user account login attempts were seen on a host within a short period of time.
This may have resulted from a login password spray attack.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each login attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful login attempts and the ratio of login success versus login failures.
Variations
Successful External Login Password Spray on a Domain ControllerSuccessful External Login Password Spray on a sensitive server
Successful External Login Password Spray
External Login Password Spray on a Domain Controller