LoFP / an ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.

• T1110
• T1110.001
• T1110.003

Sample rules

AWS High Number Of Failed Authentications From Ip

• source: splunk
• technicques:
  • T1110
  • T1110.003
  • T1110.004

Description

The following analytic detects an IP address with 20 or more failed authentication attempts to the AWS Web Console within a 5-minute window. This detection leverages CloudTrail logs, aggregating failed login events by IP address and time span. This activity is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges within an AWS environment. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation of AWS resources.

Detection logic

`cloudtrail` eventName=ConsoleLogin action=failure 
| bucket span=5m _time 
| stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id 
| where failed_attempts > 20 
|  `aws_high_number_of_failed_authentications_from_ip_filter`

Azure AD High Number Of Failed Authentications From Ip

• source: splunk
• technicques:
  • T1110
  • T1110.001
  • T1110.003

Description

The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.

Detection logic

`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false 
| rename properties.* as * 
| bucket span=10m _time 
| stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip _time 
| where count > 20 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_high_number_of_failed_authentications_from_ip_filter`

• T1110
• T1110.001

Sample rules

AWS High Number Of Failed Authentications From Ip

• source: splunk
• technicques:
  • T1110
  • T1110.003
  • T1110.004

Description

The following analytic detects an IP address with 20 or more failed authentication attempts to the AWS Web Console within a 5-minute window. This detection leverages CloudTrail logs, aggregating failed login events by IP address and time span. This activity is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges within an AWS environment. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation of AWS resources.

Detection logic

`cloudtrail` eventName=ConsoleLogin action=failure 
| bucket span=5m _time 
| stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id 
| where failed_attempts > 20 
|  `aws_high_number_of_failed_authentications_from_ip_filter`

Azure AD High Number Of Failed Authentications From Ip

• source: splunk
• technicques:
  • T1110
  • T1110.001
  • T1110.003

Description

The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.

Detection logic

`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false 
| rename properties.* as * 
| bucket span=10m _time 
| stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip _time 
| where count > 20 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_high_number_of_failed_authentications_from_ip_filter`

High Number of Login Failures from a single source

• source: splunk
• technicques:
  • T1110.001
  • T1110

Description

The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon 
| bucket span=5m _time 
| stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip 
| where failed_attempts > 10 
| `high_number_of_login_failures_from_a_single_source_filter`