{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/password-spraying/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["credential-access","defense-evasion","brute-force","password-spraying"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert triggers when an Elastic machine learning job identifies a significant spike in successful authentication events originating from a specific source IP address. The underlying cause may range from legitimate administrative activity to malicious attempts at credential compromise, such as password spraying, user enumeration, or brute force attacks. The rule requires a minimum Elastic Stack version of 9.4.0 and relies on data ingested via Elastic Defend, Auditd Manager, or the System integration. The machine learning job associated with this rule is named \u0026ldquo;auth_high_count_logon_events_for_a_source_ip_ea\u0026rdquo;. While build servers and CI systems can trigger this alert as false positives, its presence should always prompt investigation to rule out credential compromise attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a network or system (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: The attacker attempts to gather valid credentials through password spraying or brute-force attacks (T1110, T1110.003).\u003c/li\u003e\n\u003cli\u003eAccount Discovery: The attacker enumerates user accounts to identify potential targets, often performed in conjunction with password attacks.\u003c/li\u003e\n\u003cli\u003eSuccessful Authentication: Using compromised credentials, the attacker successfully authenticates to a system or service (T1078, T1078.002, T1078.003).\u003c/li\u003e\n\u003cli\u003eLateral Movement: After successful authentication, the attacker potentially moves laterally within the network using valid accounts (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may attempt to escalate privileges to gain higher-level access (not explicitly described in source).\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Impact: After gaining sufficient access, the attacker may exfiltrate sensitive data or cause damage to the system or network (not explicitly described in source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, systems, and services. The number of affected users and the extent of the damage depend on the scope of the compromised credentials and the attacker\u0026rsquo;s objectives. This can impact any sector, as credential compromise is a common attack vector across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and configure the Elastic Defend, Auditd Manager, or System integrations to provide the necessary data for the machine learning job (see Setup section).\u003c/li\u003e\n\u003cli\u003eInstall the associated Machine Learning job \u0026ldquo;auth_high_count_logon_events_for_a_source_ip_ea\u0026rdquo; to enable the detection (see Setup section).\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job based on your environment to reduce false positives (anomaly_threshold metadata).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by this rule, focusing on identifying the involved assets, users, and source IP addresses (see Note section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:25:14Z","date_published":"2026-04-02T13:25:14Z","id":"/briefs/2026-04-auth-spike/","summary":"A machine learning job detected a spike in successful authentication events from a source IP address, which can indicate password spraying, user enumeration, or brute force activity, potentially leading to credential access.","title":"Spike in Successful Logon Events from a Source IP","url":"https://feed.craftedsignal.io/briefs/2026-04-auth-spike/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","brute-force","password-spraying","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies potential password guessing or brute force activity against Windows systems. It focuses on detecting a high number of failed network logon attempts originating from a single source IP address within a short time frame. The rule analyzes Windows Security Event Logs, specifically looking for event category \u0026ldquo;authentication\u0026rdquo; and event action \u0026ldquo;logon-failed\u0026rdquo;. By aggregating failed authentication counts within a 60-second window and filtering out common authentication misconfiguration errors, the rule aims to pinpoint suspicious activity indicative of credential access attempts. This is important for defenders as it highlights potential breaches or malicious actors attempting to compromise user accounts via brute-force or password spraying attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker initiates a network connection to a Windows system, likely targeting a service such as SMB or RDP.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate using a list of usernames and passwords or commonly used passwords, generating failed logon attempts (Event ID 4625).\u003c/li\u003e\n\u003cli\u003eThe Windows system logs the failed authentication attempts in the Security Event Log.\u003c/li\u003e\n\u003cli\u003eThe detection rule monitors the Security Event Log for failed logon events (event.category == \u0026ldquo;authentication\u0026rdquo; and event.action == \u0026ldquo;logon-failed\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe rule aggregates the number of failed logon attempts from the same source IP address within a 60-second time window.\u003c/li\u003e\n\u003cli\u003eIf the number of failed attempts exceeds a threshold (e.g., 100) and involves multiple target usernames (Esql.count_distinct_target_user_name \u0026gt;= 2), the rule triggers a detection.\u003c/li\u003e\n\u003cli\u003eThe attacker may continue attempts after initial failures or pivot to successful credentials for lateral movement.\u003c/li\u003e\n\u003cli\u003eSuccessful credential access can lead to privilege escalation, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful brute-force or password spraying attacks can lead to unauthorized access to user accounts and sensitive data. The impact can range from minor inconvenience to significant data breaches and financial losses, depending on the compromised accounts and the data they have access to. The rule aims to reduce the window of opportunity for attackers to gain a foothold in the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary Windows Security Event Logs. Follow the setup instructions outlined in the rule documentation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Multiple Logon Failure from the Same Source Address\u0026rdquo; to your SIEM and tune the threshold values (Esql.failed_auth_count and Esql.count_distinct_target_user_name) to minimize false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts by examining the logon failure reason codes and the targeted user names as described in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from the source IP address for any suspicious outbound traffic or lateral movement activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to mitigate the risk of successful brute-force attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-multiple-logon-failure/","summary":"Detection of multiple consecutive logon failures from the same source address within a short time interval on Windows systems, indicating potential brute force or password spraying attacks targeting multiple user accounts.","title":"Multiple Logon Failure from the Same Source Address","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-logon-failure/"}],"language":"en","title":"CraftedSignal Threat Feed — Password-Spraying","version":"https://jsonfeed.org/version/1.1"}