LoFP
/
t1110.001
t1110.001
Title
Tags
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
t1110.001
t1201
azure tenant
aws account
splunk
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
t1110.001
T1110.003
T1535
t1586
azure tenant
aws account
splunk
account fallback reasons (after failed login with specific account)
t1110
t1110.001
windows
sigma
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
t1110.001
t1586.003
aws account
splunk
although unusual, users who have lost their passwords may trigger this detection. filter as needed.
t1110.001
o365 tenant
splunk
an ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application.
t1110.001
T1110.003
azure tenant
splunk
in environments where multiple users legitimately access crushftp from behind the same nat or proxy, this may generate false positives. tune the threshold based on your organization's usage patterns.
t1110.001
T1110.004
web server
splunk
rdp gateways may have unusually high amounts of traffic from all other hosts' rdp applications in the network.any legitimate rdp traffic using wrong/expired credentials will be also detected as a false positive.
t1110.001
endpoint
splunk
software that uses the caret encased keywords pass and user in its command line
t1110
t1110.001
windows
sigma
users may genuinely mistype or forget the password.
t1110.001
t1586.003
aws account
splunk
LoFP
/
t1110.001