EXPLORE

← Back to Explore

T1110.003

Password Spraying

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (C...

ContainersESXiIaaSIdentity ProviderLinuxNetwork DevicesOffice SuiteSaaSWindowsmacOS

65

Detections

2

Sources

11

Threat Actors

BY SOURCE

40splunk_escu25elastic

PROCEDURES (26)

Unusual8 detections

Auto-extracted: 8 detections for unusual

Kerbero6 detections

Auto-extracted: 6 detections for kerbero

Brute Force5 detections

Auto-extracted: 5 detections for brute force

Credential5 detections

Auto-extracted: 5 detections for credential

Azure4 detections

Auto-extracted: 4 detections for azure

Privilege4 detections

Auto-extracted: 4 detections for privilege

Bypass3 detections

Auto-extracted: 3 detections for bypass

Authentication Monitoring3 detections

Auto-extracted: 3 detections for authentication monitoring

Aws3 detections

Auto-extracted: 3 detections for aws

Spray3 detections

Auto-extracted: 3 detections for spray

Brute Force3 detections

Auto-extracted: 3 detections for brute force

Anomal2 detections

Auto-extracted: 2 detections for anomal

Cloud2 detections

Auto-extracted: 2 detections for cloud

Service2 detections

Auto-extracted: 2 detections for service

Remote1 detections

Auto-extracted: 1 detections for remote

Azure1 detections

Auto-extracted: 1 detections for azure

Azure1 detections

Auto-extracted: 1 detections for azure

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Credential1 detections

Auto-extracted: 1 detections for credential

Spray1 detections

Auto-extracted: 1 detections for spray

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Lateral1 detections

Auto-extracted: 1 detections for lateral

THREAT ACTORS (11)

Agrius APT28 APT29 APT33 Chimera Ember Bear HAFNIUM HEXANE Lazarus Group Leafminer Silent Librarian

DETECTIONS (65)

Attempts to Brute Force an Okta User Account

AWS High Number Of Failed Authentications From Ip

AWS Multiple Users Failing To Authenticate From Ip

AWS Unusual Number of Failed Authentications From Ip

Azure Active Directory High Risk Sign-in

Azure AD High Number Of Failed Authentications From Ip

Azure AD Multi-Source Failed Authentications Spike

Azure AD Multiple Users Failing To Authenticate From Ip

Azure AD Successful Authentication From Different Ips

Azure AD Unusual Number of Failed Authentications From Ip

Cisco ASA - User Account Lockout Threshold Exceeded

Detect Distributed Password Spray Attempts

Detect Password Spray Attack Behavior From Source

Detect Password Spray Attack Behavior On User

Detect Password Spray Attempts

Entra ID Excessive Account Lockouts Detected

Entra ID Protection - Risk Detection - Sign-in Risk

Entra ID Protection - Risk Detection - User Risk

Entra ID Sign-in Brute Force Attempted (Microsoft 365)

Entra ID Sign-in TeamFiltration User-Agent Detected

Entra ID User Sign-in Brute Force Attempted

Entra ID User Sign-in with Unusual Authentication Type

GCP Multiple Users Failing To Authenticate From Ip

GCP Unusual Number of Failed Authentications From Ip

M365 Identity User Account Lockouts

M365 Identity User Brute Force Attempted

Multiple Logon Failure Followed by Logon Success

Multiple Logon Failure from the same Source Address

Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy

Multiple Okta User Authentication Events with Same Device Token Hash

O365 Multi-Source Failed Authentications Spike

O365 Multiple Users Failing To Authenticate From Ip

Okta Multiple Users Failing To Authenticate From Ip

Okta Successful Login After Credential Attack

Potential External Linux SSH Brute Force Detected

Potential Internal Linux SSH Brute Force Detected

Potential Okta Password Spray (Multi-Source)

Potential Okta Password Spray (Single Source)

Potential Password Spraying Attack via SSH

Potential Successful SSH Brute Force Attack

Privileged Accounts Brute Force

Spike in Failed Logon Events

Spike in Logon Events

Spike in Successful Logon Events from a Source IP

Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos

Windows Multiple Invalid Users Fail To Authenticate Using Kerberos

Windows Multiple Invalid Users Failed To Authenticate Using NTLM

Windows Multiple NTLM Null Domain Authentications

Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials

Windows Multiple Users Failed To Authenticate From Host Using NTLM

Windows Multiple Users Failed To Authenticate From Process

Windows Multiple Users Failed To Authenticate Using Kerberos

Windows Multiple Users Remotely Failed To Authenticate From Host

Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos

Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos

Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM

Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials

Windows Unusual Count Of Users Failed To Auth Using Kerberos

Windows Unusual Count Of Users Failed To Authenticate From Process

Windows Unusual Count Of Users Failed To Authenticate Using NTLM

Windows Unusual Count Of Users Remotely Failed To Auth From Host

Windows Unusual NTLM Authentication Destinations By Source

Windows Unusual NTLM Authentication Destinations By User

Windows Unusual NTLM Authentication Users By Destination

Windows Unusual NTLM Authentication Users By Source