security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

Nterl0k - T1110.003 [Spray and Pray] or [Boring but Works]

Open nterl0k opened this issue 1 year ago • 0 comments

Details

This is a generic password spray detection that can be used across all CIM compliant authentication sources.

Works based on a failure to success ratios common with malicious password guessing and can be run at longer durations to catch subtle password guessing attempts. (low/slow)

image

Sample data provided in https://github.com/splunk/attack_data/pull/851 as an internal test case, but also works well against external facing authentication data sources (VPNs, webportals, etc)

Checklist

  • [ ] Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • [ ] CI/CD jobs passed ✔️
  • [ ] Validated SPL logic.
  • [ ] Validated tags, description, and how to implement.
  • [ ] Verified references match analytic.

nterl0k avatar Nov 11 '23 15:11 nterl0k