{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/brute-force/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6947"}],"_cs_exploited":false,"_cs_products":["DWM-222W USB Wi-Fi Adapter"],"_cs_severities":["high"],"_cs_tags":["brute-force","credential-access","network-device"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eThe D-Link DWM-222W USB Wi-Fi Adapter is susceptible to a brute-force protection bypass vulnerability (CVE-2026-6947). This flaw allows an attacker on an adjacent network to circumvent the built-in login attempt limits. By repeatedly attempting different credentials without being blocked, an attacker can successfully brute-force the password and gain unauthorized access to the device. This vulnerability poses a significant risk as it enables attackers to potentially reconfigure the device, intercept network traffic, or use the compromised device as a pivot point for further attacks within the network. Successful exploitation leads to full control over the D-Link Wi-Fi adapter.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker locates a vulnerable D-Link DWM-222W USB Wi-Fi Adapter within adjacent network range.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates network communication with the device, targeting its login interface, likely via HTTP or HTTPS.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a series of login requests with different username and password combinations.\u003c/li\u003e\n\u003cli\u003eDue to the brute-force protection bypass, the device does not enforce login attempt limits or implement account lockout mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker continues sending login requests until the correct credentials are found.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains administrative access to the D-Link DWM-222W USB Wi-Fi Adapter\u0026rsquo;s configuration interface.\u003c/li\u003e\n\u003cli\u003eThe attacker reconfigures the device to their specifications potentially enabling remote access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6947 allows an attacker to gain complete control over the D-Link DWM-222W USB Wi-Fi Adapter. This can lead to unauthorized access to the network it connects to, data interception, or the device being used as a launchpad for further attacks within the network. The impact is significant, as it bypasses standard security measures and grants full administrative privileges to the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for excessive authentication attempts targeting the D-Link DWM-222W USB Wi-Fi Adapter to detect potential brute-force attacks. Deploy the Sigma rule \u003ccode\u003eDetect Excessive Authentication Attempts\u003c/code\u003e to identify such activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised D-Link DWM-222W USB Wi-Fi Adapter.\u003c/li\u003e\n\u003cli\u003eIf possible, disable remote management interfaces on the D-Link DWM-222W USB Wi-Fi Adapter to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T04:16:23Z","date_published":"2026-04-24T04:16:23Z","id":"/briefs/2026-04-dlink-brute-force-bypass/","summary":"D-Link DWM-222W USB Wi-Fi Adapter is vulnerable to brute-force attacks due to a protection bypass, allowing unauthenticated adjacent network attackers to gain control over the device by circumventing login attempt limits.","title":"D-Link DWM-222W USB Wi-Fi Adapter Brute-Force Protection Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-brute-force-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33710"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33710","chamilo","api-key","brute-force","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a popular learning management system, contains a vulnerability in versions prior to 1.11.38 and 2.0.0-RC.3 related to the generation of REST API keys (CVE-2026-33710). The API keys are generated using a flawed algorithm: \u003ccode\u003emd5(time() + (user_id * 5) - rand(10000, 10000))\u003c/code\u003e. Due to \u003ccode\u003erand(10000, 10000)\u003c/code\u003e always returning 10000, the formula simplifies to \u003ccode\u003emd5(timestamp + user_id*5 - 10000)\u003c/code\u003e. An attacker knowing a valid username and a rough estimate of when the API key was generated can brute-force the key due to the limited entropy. This vulnerability allows unauthorized access to the Chamilo LMS REST API. The vulnerability was reported and patched in versions 1.11.38 and 2.0.0-RC.3. This poses a significant threat to educational institutions and organizations using vulnerable versions of Chamilo LMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target Chamilo LMS instance running a vulnerable version (prior to 1.11.38 or 2.0.0-RC.3).\u003c/li\u003e\n\u003cli\u003eAttacker obtains a valid username on the target Chamilo LMS instance through OSINT or credential stuffing.\u003c/li\u003e\n\u003cli\u003eAttacker estimates the API key creation time. This might be inferred from user activity or system logs.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a script to generate potential API keys based on the predictable formula \u003ccode\u003emd5(timestamp + user_id*5 - 10000)\u003c/code\u003e using the known username and estimated timestamp.\u003c/li\u003e\n\u003cli\u003eThe script iterates through a range of timestamps around the estimated creation time, generating corresponding MD5 hashes.\u003c/li\u003e\n\u003cli\u003eAttacker sends API requests with the generated API keys to the Chamilo LMS server.\u003c/li\u003e\n\u003cli\u003eThe server validates the API key against the user.\u003c/li\u003e\n\u003cli\u003eUpon successful validation, the attacker gains unauthorized access to the Chamilo LMS REST API, potentially allowing them to modify course content, access user data, or perform other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33710 can lead to unauthorized access to sensitive data within the Chamilo LMS, including user information, course materials, and grades. This could result in data breaches, academic fraud, and reputational damage for affected organizations. The vulnerability affects all organizations running vulnerable versions of Chamilo LMS; the number of victims is correlated to the number of vulnerable deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-33710.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests originating from unexpected IP addresses, especially those containing potentially valid API keys by deploying the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints to mitigate brute-force attempts.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider temporarily disabling the REST API.\u003c/li\u003e\n\u003cli\u003eReview and audit user permissions within Chamilo LMS to minimize the impact of potential unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-api-key-bruteforce/","summary":"Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 generate predictable REST API keys, allowing attackers with knowledge of a username and approximate key creation time to brute-force access.","title":"Chamilo LMS REST API Key Brute-Force Vulnerability (CVE-2026-33710)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-api-key-bruteforce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["credential-access","defense-evasion","brute-force","password-spraying"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert triggers when an Elastic machine learning job identifies a significant spike in successful authentication events originating from a specific source IP address. The underlying cause may range from legitimate administrative activity to malicious attempts at credential compromise, such as password spraying, user enumeration, or brute force attacks. The rule requires a minimum Elastic Stack version of 9.4.0 and relies on data ingested via Elastic Defend, Auditd Manager, or the System integration. The machine learning job associated with this rule is named \u0026ldquo;auth_high_count_logon_events_for_a_source_ip_ea\u0026rdquo;. While build servers and CI systems can trigger this alert as false positives, its presence should always prompt investigation to rule out credential compromise attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a network or system (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: The attacker attempts to gather valid credentials through password spraying or brute-force attacks (T1110, T1110.003).\u003c/li\u003e\n\u003cli\u003eAccount Discovery: The attacker enumerates user accounts to identify potential targets, often performed in conjunction with password attacks.\u003c/li\u003e\n\u003cli\u003eSuccessful Authentication: Using compromised credentials, the attacker successfully authenticates to a system or service (T1078, T1078.002, T1078.003).\u003c/li\u003e\n\u003cli\u003eLateral Movement: After successful authentication, the attacker potentially moves laterally within the network using valid accounts (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may attempt to escalate privileges to gain higher-level access (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Impact: After gaining sufficient access, the attacker may exfiltrate sensitive data or cause damage to the system or network (not explicitly described in source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, systems, and services. The number of affected users and the extent of the damage depend on the scope of the compromised credentials and the attacker\u0026rsquo;s objectives. This can impact any sector, as credential compromise is a common attack vector across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and configure the Elastic Defend, Auditd Manager, or System integrations to provide the necessary data for the machine learning job (see Setup section).\u003c/li\u003e\n\u003cli\u003eInstall the associated Machine Learning job \u0026ldquo;auth_high_count_logon_events_for_a_source_ip_ea\u0026rdquo; to enable the detection (see Setup section).\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job based on your environment to reduce false positives (anomaly_threshold metadata).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by this rule, focusing on identifying the involved assets, users, and source IP addresses (see Note section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:25:14Z","date_published":"2026-04-02T13:25:14Z","id":"/briefs/2026-04-auth-spike/","summary":"A machine learning job detected a spike in successful authentication events from a source IP address, which can indicate password spraying, user enumeration, or brute force activity, potentially leading to credential access.","title":"Spike in Successful Logon Events from a Source IP","url":"https://feed.craftedsignal.io/briefs/2026-04-auth-spike/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-34505"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rate-limiting","brute-force","webhook","cve-2026-34505"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.12 are vulnerable to a rate-limiting bypass (CVE-2026-34505). The vulnerability exists because rate limiting is only applied after successful webhook authentication. This design flaw enables attackers to send numerous authentication requests with incorrect secrets without triggering rate limits. The vulnerability was reported on March 31, 2026. Successful exploitation allows attackers to systematically guess webhook secrets and subsequently submit forged…\u003c/p\u003e\n","date_modified":"2026-03-31T12:16:30Z","date_published":"2026-03-31T12:16:30Z","id":"/briefs/2026-03-openclaw-rate-limit-bypass/","summary":"OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets leading to forged webhook submission.","title":"OpenClaw Webhook Rate Limit Bypass Vulnerability (CVE-2026-34505)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-rate-limit-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["medium"],"_cs_tags":["bitbucket","authentication","brute-force","credential-access","initial-access"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting user login failures within Bitbucket environments. Monitoring failed login attempts is crucial as it can indicate various malicious activities, including credential stuffing, brute-force attacks, or attempts to gain unauthorized initial access. The audit logs in Bitbucket record details of these authentication failures, providing valuable data for security monitoring. The rule provided detects these events and can be used for correlation with other security events based on the \u0026ldquo;author.name\u0026rdquo; field for enhanced accuracy and context. Requires \u0026ldquo;Advance\u0026rdquo; log level to receive audit events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access Attempt:\u003c/strong\u003e An attacker attempts to gain initial access to a Bitbucket account using a compromised or guessed username.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Guessing:\u003c/strong\u003e The attacker attempts to guess the user\u0026rsquo;s password through manual attempts or automated tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Failure:\u003c/strong\u003e Bitbucket records a \u0026ldquo;User login failed\u0026rdquo; event due to incorrect credentials. The \u003ccode\u003eauditType.category\u003c/code\u003e is Authentication, and \u003ccode\u003eauditType.action\u003c/code\u003e is User login failed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMultiple Failed Attempts:\u003c/strong\u003e The attacker repeats the login attempts with different password variations or using a list of compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Lockout (Optional):\u003c/strong\u003e Depending on Bitbucket\u0026rsquo;s configuration, repeated failed login attempts may trigger an account lockout.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Login (Potential):\u003c/strong\u003e After multiple attempts, the attacker may eventually guess the correct password or use a valid compromised credential.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Persistence (If Successful):\u003c/strong\u003e If successful, the attacker could escalate privileges, establish persistence, or perform other malicious actions within the Bitbucket environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive code repositories, intellectual property theft, and potential supply chain compromise. Attackers could inject malicious code, modify existing code, or exfiltrate sensitive data. Detecting these failed login attempts early can prevent significant damage. Although the number of victims cannot be determined with this specific detection, a successful attack can have far-reaching impacts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Bitbucket User Login Failure\u0026rdquo; to your SIEM to detect suspicious authentication failures (logsource: bitbucket, service: audit). Tune for your environment by correlating on the author.name field.\u003c/li\u003e\n\u003cli\u003eInvestigate the source IP addresses associated with the failed login attempts to identify potential malicious actors.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to significantly reduce the risk of successful credential-based attacks.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual activity following any successful login after a series of failures.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies to reduce the effectiveness of brute-force attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-03-08T15:00:00Z","date_published":"2024-03-08T15:00:00Z","id":"/briefs/2024-03-bitbucket-login-fail/","summary":"Detection of Bitbucket user login failures, potentially indicating credential access attempts, initial access attempts, or other malicious activity.","title":"Bitbucket User Login Failure Detection","url":"https://feed.craftedsignal.io/briefs/2024-03-bitbucket-login-fail/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","brute-force","password-spraying","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies potential password guessing or brute force activity against Windows systems. It focuses on detecting a high number of failed network logon attempts originating from a single source IP address within a short time frame. The rule analyzes Windows Security Event Logs, specifically looking for event category \u0026ldquo;authentication\u0026rdquo; and event action \u0026ldquo;logon-failed\u0026rdquo;. By aggregating failed authentication counts within a 60-second window and filtering out common authentication misconfiguration errors, the rule aims to pinpoint suspicious activity indicative of credential access attempts. This is important for defenders as it highlights potential breaches or malicious actors attempting to compromise user accounts via brute-force or password spraying attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker initiates a network connection to a Windows system, likely targeting a service such as SMB or RDP.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate using a list of usernames and passwords or commonly used passwords, generating failed logon attempts (Event ID 4625).\u003c/li\u003e\n\u003cli\u003eThe Windows system logs the failed authentication attempts in the Security Event Log.\u003c/li\u003e\n\u003cli\u003eThe detection rule monitors the Security Event Log for failed logon events (event.category == \u0026ldquo;authentication\u0026rdquo; and event.action == \u0026ldquo;logon-failed\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe rule aggregates the number of failed logon attempts from the same source IP address within a 60-second time window.\u003c/li\u003e\n\u003cli\u003eIf the number of failed attempts exceeds a threshold (e.g., 100) and involves multiple target usernames (Esql.count_distinct_target_user_name \u0026gt;= 2), the rule triggers a detection.\u003c/li\u003e\n\u003cli\u003eThe attacker may continue attempts after initial failures or pivot to successful credentials for lateral movement.\u003c/li\u003e\n\u003cli\u003eSuccessful credential access can lead to privilege escalation, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful brute-force or password spraying attacks can lead to unauthorized access to user accounts and sensitive data. The impact can range from minor inconvenience to significant data breaches and financial losses, depending on the compromised accounts and the data they have access to. The rule aims to reduce the window of opportunity for attackers to gain a foothold in the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary Windows Security Event Logs. Follow the setup instructions outlined in the rule documentation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Multiple Logon Failure from the Same Source Address\u0026rdquo; to your SIEM and tune the threshold values (Esql.failed_auth_count and Esql.count_distinct_target_user_name) to minimize false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts by examining the logon failure reason codes and the targeted user names as described in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from the source IP address for any suspicious outbound traffic or lateral movement activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to mitigate the risk of successful brute-force attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-multiple-logon-failure/","summary":"Detection of multiple consecutive logon failures from the same source address within a short time interval on Windows systems, indicating potential brute force or password spraying attacks targeting multiple user accounts.","title":"Multiple Logon Failure from the Same Source Address","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-logon-failure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["credential-access","brute-force","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying brute-force or password guessing attacks against Windows systems. It detects multiple failed logon attempts originating from the same source IP address, followed by a successful logon. This pattern suggests an attacker attempting to guess credentials to gain unauthorized access to an account. The rule leverages Windows Security Event Logs to monitor authentication events. This activity is important for defenders because successful brute-force attacks can lead to account compromise, data breaches, and further malicious activities within the network. The rule uses EQL and analyzes \u003ccode\u003elogs-system.security*\u003c/code\u003e, \u003ccode\u003elogs-windows.forwarded*\u003c/code\u003e, and \u003ccode\u003ewinlogbeat-*\u003c/code\u003e indices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker initiates multiple failed logon attempts to a Windows system using various username and password combinations. These attempts originate from a single source IP address and target network logon types.\u003c/li\u003e\n\u003cli\u003eThe system records each failed logon attempt as a Windows Security Event Log event (Event ID 4625). The event includes information about the source IP address, target username, and failure reason.\u003c/li\u003e\n\u003cli\u003eAfter several failed attempts, the attacker guesses the correct password for a valid user account.\u003c/li\u003e\n\u003cli\u003eThe system records a successful logon event (Event ID 4624) for the compromised account, originating from the same source IP address as the previous failed attempts, also via a network logon type.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the target system using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to escalate privileges or move laterally within the network, using the compromised account to access additional resources or systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful brute-force attack can lead to unauthorized access to sensitive data, system compromise, and further malicious activities within the network. Compromised accounts can be used to escalate privileges, move laterally, and deploy ransomware. The severity depends on the privileges of the compromised account and the sensitivity of the data it can access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary events (4624, 4625) in the Windows Security Event Logs for the detection rule to function. Reference: \u003ca href=\"https://ela.st/audit-logon\"\u003ehttps://ela.st/audit-logon\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect multiple logon failures followed by a successful logon. Tune the rule based on your environment and baseline activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts to determine the scope of the compromise and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eConsider implementing multi-factor authentication (MFA) to mitigate the risk of brute-force attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity originating from the source IP address associated with the brute-force attempts.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to reduce the likelihood of successful password guessing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-09-multiple-logon-failure-success/","summary":"This rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker may have compromised an account by brute-forcing login attempts across multiple users.","title":"Multiple Logon Failure Followed by Logon Success","url":"https://feed.craftedsignal.io/briefs/2024-01-09-multiple-logon-failure-success/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["signalk-server (\u003c= 2.24.0)"],"_cs_severities":["high"],"_cs_tags":["credential-access","brute-force","websocket"],"_cs_type":"advisory","_cs_vendors":["Signal K"],"content_html":"\u003cp\u003eSignal K server versions 2.24.0 and earlier are vulnerable to credential brute-forcing via the WebSocket protocol. The vulnerability stems from the lack of rate limiting on the WebSocket login endpoint (\u003ccode\u003e/signalk/v1/stream\u003c/code\u003e), which allows attackers to bypass the existing HTTP rate limiting mechanism. By establishing a WebSocket connection, an attacker can send an unlimited number of login attempts, effectively bypassing the intended rate limiting defense of 100 attempts per 10 minutes on the HTTP login endpoints. This makes it feasible to conduct dictionary attacks and potentially gain unauthorized access to Signal K servers. Signal K servers are commonly deployed on boat networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Signal K server.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a WebSocket connection to \u003ccode\u003ews://server:3000/signalk/v1/stream?subscribe=none\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server sends a hello message, confirming the connection.\u003c/li\u003e\n\u003cli\u003eAttacker sends a series of login attempts via WebSocket messages using the following JSON format: \u003ccode\u003e{\u0026quot;requestId\u0026quot;: \u0026quot;1\u0026quot;, \u0026quot;login\u0026quot;: {\u0026quot;username\u0026quot;: \u0026quot;admin\u0026quot;, \u0026quot;password\u0026quot;: \u0026quot;guess1\u0026quot;}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server processes each login attempt without rate limiting.\u003c/li\u003e\n\u003cli\u003eAttacker continues sending login attempts using different password guesses.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains unauthorized access to the Signal K server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass HTTP rate limiting and brute-force credentials to gain unauthorized access to Signal K servers. An attacker can achieve a brute-forcing speed of approximately 20 attempts per second, limited by the bcrypt hashing algorithm. A dictionary attack with 10,000 words can be completed in approximately 8 minutes over a single connection. Since Signal K servers are commonly deployed on boat networks, successful exploitation can lead to unauthorized access to sensitive maritime data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections to Signal K servers for unusually high rates of WebSocket login attempts. Create a detection rule that triggers when a single IP address sends more than 5 login attempts per second via the WebSocket protocol.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Volume SignalK WebSocket Login Attempts\u003c/code\u003e to identify potential brute-force attacks against Signal K servers.\u003c/li\u003e\n\u003cli\u003eUpgrade Signal K servers to a patched version that includes rate limiting on the WebSocket login endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-signalk-brute-force/","summary":"The Signal K server's WebSocket login endpoint lacks rate limiting, allowing attackers to bypass HTTP rate limiting by opening a WebSocket connection and attempting unlimited password guesses.","title":"Signal K Server WebSocket Login Brute-Force Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-signalk-brute-force/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","brute-force","credential-stuffing","authentication"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on detecting abnormal increases in failed authentication attempts within Azure Active Directory (Azure AD). An adversary attempting to gain unauthorized access to user accounts or systems often performs brute-force or credential stuffing attacks. These attacks result in a higher-than-normal number of failed sign-in attempts. Monitoring and detecting such increases can provide early warning of potential breaches or compromised accounts. Defenders should investigate any significant spikes in failed authentications as they might indicate malicious activity targeting user accounts or application access. The detection is based on analysis of Azure AD sign-in logs to identify when the number of failed sign-ins increases by 10% or greater, warranting further investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker attempts to gain initial access through various methods, such as phishing, compromised credentials, or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Stuffing/Brute-Force:\u003c/strong\u003e The attacker uses lists of known usernames and passwords (credential stuffing) or systematically tries different password combinations (brute-force) against Azure AD accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Attempts:\u003c/strong\u003e Each failed authentication attempt is logged within Azure AD sign-in logs, recording details such as username, IP address, and failure reason.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThreshold Exceeded:\u003c/strong\u003e The number of failed sign-in attempts reaches a threshold, triggering the detection rule based on a 10% or greater increase.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Lockout (Potential):\u003c/strong\u003e Multiple failed authentication attempts may lead to account lockouts, disrupting legitimate user access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication (Potential):\u003c/strong\u003e If the attacker guesses the correct credentials, they gain unauthorized access to the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e After gaining access, the attacker attempts to escalate privileges or move laterally within the network to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data or causes disruption to services depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful brute-force or credential stuffing attack can lead to unauthorized access to user accounts, data breaches, and service disruptions. Depending on the compromised account\u0026rsquo;s privileges, the attacker may gain access to sensitive information, escalate privileges, or move laterally within the organization\u0026rsquo;s network. The impact could range from minor data leaks to significant financial losses and reputational damage. Early detection and mitigation are crucial to minimize the impact of such attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect increases in failed Azure AD sign-in attempts and tune the threshold (10%) based on your environment (\u003ccode\u003eCount: \u0026quot;\u0026lt;10%\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule to determine the source and scope of the increased failed authentications.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users to mitigate the risk of credential-based attacks.\u003c/li\u003e\n\u003cli\u003eImplement account lockout policies to prevent attackers from repeatedly attempting to guess passwords.\u003c/li\u003e\n\u003cli\u003eMonitor sign-in logs for unusual patterns, such as sign-ins from unfamiliar locations or devices, to identify potential compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-02-azure-ad-failed-auth-increase/","summary":"Detects a significant increase (10% or greater) in failed Azure AD sign-in attempts, potentially indicating brute-force attacks, credential stuffing, or other unauthorized access attempts.","title":"Azure AD Failed Authentication Increase","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-ad-failed-auth-increase/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["credential-access","brute-force","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule, originally created on 2020-08-29 and last updated on 2026-05-04, identifies potential brute-force attempts against Windows systems. It focuses on scenarios where an attacker attempts to guess passwords for multiple accounts containing the term \u0026ldquo;admin\u0026rdquo; in their usernames, suggesting an attempt to compromise privileged accounts. The rule aggregates failed logon events to detect this activity. This is important for defenders as successful brute-force attacks can lead to unauthorized access, data breaches, and other malicious activities. The rule leverages Windows Security Event Logs and requires Audit Logon to be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker attempts to gain initial access to the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential target accounts with \u0026ldquo;admin\u0026rdquo; in their username.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a series of network logon attempts using various password combinations (T1110.001, T1110.003).\u003c/li\u003e\n\u003cli\u003eThe Windows system records failed logon events (Event ID 4625) in the Security Event Logs.\u003c/li\u003e\n\u003cli\u003eThe detection rule aggregates these failed logon events, filtering out known noisy failure codes.\u003c/li\u003e\n\u003cli\u003eIf the number of failed attempts against distinct \u0026ldquo;admin\u0026rdquo; accounts from the same source IP within a 60-second window exceeds a threshold (50 attempts against 2 distinct usernames), the rule triggers an alert.\u003c/li\u003e\n\u003cli\u003eThe attacker, if successful, gains unauthorized access to the targeted admin account.\u003c/li\u003e\n\u003cli\u003eWith access to an admin account, the attacker can perform a wide range of malicious activities, including privilege escalation, data exfiltration, and system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful brute-force attacks on administrator accounts can lead to significant damage. Attackers gaining access can escalate privileges, install malware, access sensitive data, or disrupt critical systems. This can result in data breaches, financial losses, and reputational damage. While specific victim counts are not provided, the rule\u0026rsquo;s focus on privileged accounts indicates a high potential for severe impact on organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary Windows Security Event Logs. Refer to the setup instructions at \u003ca href=\"https://ela.st/audit-logon\"\u003ehttps://ela.st/audit-logon\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Windows Admin Account Brute Force\u0026rdquo; to your SIEM and tune the threshold parameters (failed_auth_count, count_distinct_user_name) for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on the source IP address, targeted usernames, and logon failure reason codes.\u003c/li\u003e\n\u003cli\u003eReview and strengthen password policies to prevent password guessing attacks (T1110).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious logon attempts from external IP addresses to internal systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-admin-account-bruteforce/","summary":"This rule identifies potential password guessing/brute force activity from a single source IP targeting multiple Windows accounts with 'admin' in the username, indicating an attempt to compromise privileged accounts.","title":"Windows Admin Account Brute Force Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-admin-account-bruteforce/"}],"language":"en","title":"CraftedSignal Threat Feed — Brute-Force","version":"https://jsonfeed.org/version/1.1"}