Password Spraying via Explicit Credentials
Detects a single user failing to authenticate to multiple users using explicit credentials.
Sigma rule (View on GitHub)
1title: Password Spraying via Explicit Credentials
2id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
3status: unsupported
4description: Detects a single user failing to authenticate to multiple users using explicit credentials.
5references:
6 - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
7author: Mauricio Velazco, Zach Mathis
8date: 2021/06/01
9modified: 2023/02/24
10tags:
11 - attack.t1110.003
12 - attack.initial_access
13 - attack.privilege_escalation
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4648
20 filter:
21 SubjectUserName|endswith: '$' # There will be much noise from computer accounts to UMFD-0, DWM-1, etc...
22 timeframe: 1h
23 condition: selection and not filter | count(TargetUserName) by SubjectUserName > 10
24falsepositives:
25 - Terminal servers
26 - Jump servers
27 - Other multiuser systems like Citrix server farms
28 - Workstations with frequently changing users
29level: medium
References
Related rules
- Disabled Users Failing To Authenticate From Source Using Kerberos
- Invalid Users Failing To Authenticate From Single Source Using NTLM
- Invalid Users Failing To Authenticate From Source Using Kerberos
- Multiple Users Failing to Authenticate from Single Process
- Multiple Users Remotely Failing To Authenticate From Single Source