EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlTTP

Password Spray Many Users from Same IP Microsoft Defender for Identity

Detects multiple authentication failures across several user accounts originating from a single IP address, as identified by Microsoft Defender for Identity. This pattern is indicative of a password spraying attack where an attacker attempts common passwords against multiple users to gain unauthorized access. Detects multiple authentication failures across several user accounts originating from a single IP address, as identified by Microsoft Defender for Identity. This pattern is indicative of a password spraying attack where an attacker attempts common passwords against multiple users to gain unauthorized access.

MITRE ATT&CK

T1110.003
credential-access

Detection Query

#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityLogonEvents"
| Vendor.properties.LogonType = "Failed logon"
| groupBy([source.address], function=[count(as=total_failures),count(field=user.name, distinct=true, as=unique_users),collect(fields=user.name),collect(fields=Vendor.properties.DestinationDeviceName),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
| unique_users > 10
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 30
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([unique_users], order=desc)

Author

Kundan Kumar

Data Sources

Identity

Tags

Detectioncs_module:Identity
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Password Spray Many Users from Same IP Microsoft Defender for Identity

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1110.003

# Description of what the query does and its purpose.
description: |
  Detects multiple authentication failures across several user accounts originating from a single IP address, as identified by Microsoft Defender for Identity. This pattern is indicative of a password spraying attack where an attacker attempts common passwords against multiple users to gain unauthorized access.

# The author or team that created the query.
author: Kundan Kumar

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Identity

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Identity

# Tags for filtering and categorization.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #Vendor = "microsoft"
  | #event.module = "defender-identity"
  | Vendor.category = "AdvancedHunting-IdentityLogonEvents"
  | Vendor.properties.LogonType = "Failed logon"
  | groupBy([source.address], function=[count(as=total_failures),count(field=user.name, distinct=true, as=unique_users),collect(fields=user.name),collect(fields=Vendor.properties.DestinationDeviceName),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
  | unique_users > 10
  | time_diff_min := (end_time - start_time) / 60000
  | time_diff_min <= 30
  | start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
  | end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
  | drop([start_time, end_time])
  | sort([unique_users], order=desc)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Detects multiple authentication failures across several user accounts originating from a single IP address, as identified by Microsoft Defender for Identity. This pattern is indicative of a password spraying attack where an attacker attempts common passwords against multiple users to gain unauthorized access.