Detecting password spraying attacks within Active Directory environments
In a password spraying attack, attackers use one or a small list of commonly used or popular passwords against a large volume of usernames to acquire valid account credentials. This tactic can be used to obtain an initial access to an environment, and can also be used to escalate privileges when access has been already achieved.
In some scenarios, password spraying capitalizes on the password rotation security policies implemented by most organizations. As users change their passwords, it is possible that some pick predictable or seasonal passwords that match commonly used passwords on the attacker's password lists.
These searches detect possible password spraying attacks against Active Directory environments, using Windows Event Logs in the Account Logon and Logon/Logoff Advanced Audit Policy categories. The searches help identify instances where one source user, source host, or source process attempts to authenticate against a target or targets using an unusually high number of unique users, which is not common behavior for legitimate systems.
Data required
- Microsoft
- Active Directory audit data
- Windows event logs
How to use Splunk software for this use case
Multiple user metrics
- Disabled users failed to authenticate with Kerberos
- Invalid users fail to authenticate using Kerberos
- Invalid users failed to authenticate using NTLM
- Users fail to authenticate with explicit credentials
- Users failed to authenticate from host using NTLM
- Users failed to authenticate from process
- Users failed to authenticate using Kerberos
- Users remotely failed to authenticate from host
Unusual count metrics
- Disabled users failed auth using Kerberos
- Invalid users fail to auth using Kerberos
- Invalid users failed to auth using NTLM
- Users fail to auth with explicit credentials
- Users failed to auth using Kerberos
- Users failed to authenticate from process
- Users failed to authenticate using NTLM
- Users remotely failed to auth from host
Next steps
Possible false positive scenarios include vulnerability scanners, remote administration tools, multi-user systems and misconfigured systems. You should spot these when first implementing the detection and add them to an allow list or lookup table.
These additional Splunk resources might help you understand and implement this use case: