Password spray attack observed

This rule is part of a beta feature. To learn more, contact Support.

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects password spray attacks where a single source IP attempts to authenticate against multiple user accounts.

Strategy

This rule monitors authentication logs across multiple platforms including Okta, AWS CloudTrail, Auth0, Microsoft 365. Password spray attacks involve attempting authentication against many different user accounts with a small number of common passwords, allowing attackers to avoid account lockout policies while attempting to compromise credentials across an organization.

Triage & Response

  • Examine the failed authentication attempts from {{@ocsf.src_endpoint.ip}} to verify the activity represents malicious behavior rather than legitimate user issues.
  • Review the targeted usernames to determine if they follow organizational naming conventions or represent high-value accounts.
  • Check if any successful authentication attempts occurred from the same source IP during the detection timeframe to identify potentially compromised accounts.
  • Check if any other IP addresses are exhibiting the same pattern.
  • Verify if the source IP address belongs to known organizational infrastructure, VPN endpoints, or external locations.
  • Analyze the timing patterns and frequency of failed attempts to distinguish between automated tools and manual authentication attempts.