Internal Login Password Spray

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Informational

Description

An abnormally high amount of user account login attempts were seen from a host within a short period of time.
This may have resulted from a login password spray attack.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Check the amount of time in between each authentication attempt.
  • Investigate the reason behind the login failures and if any accounts were locked out.
  • Look for any successful authentication attempts and the ratio of login success versus login failures.

Variations

Suspicious intensive and short internal Login Password Spray

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Medium

Description

An abnormally high number of login attempts within a very short period of time and suspicious automated behavior.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Check the amount of time in between each authentication attempt.
  • Investigate the reason behind the login failures and if any accounts were locked out.
  • Look for any successful authentication attempts and the ratio of login success versus login failures.


Internal Login Password Spray with many wrong password attempts

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Low

Description

An abnormally high amount of user account login attempts with wrong password were seen with a wrong password within a short period of time.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Check the amount of time in between each authentication attempt.
  • Investigate the reason behind the login failures and if any accounts were locked out.
  • Look for any successful authentication attempts and the ratio of login success versus login failures.


Internal Login Password Spray attempt on local user

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Low

Description

An abnormally high number of login attempts with the same username to different domains or local machines within a short period of time.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Check the amount of time in between each authentication attempt.
  • Investigate the reason behind the login failures and if any accounts were locked out.
  • Look for any successful authentication attempts and the ratio of login success versus login failures.