Techniques
Sample rules
Potential password in username
- source: splunk
- technicques:
- T1078.003
- T1552.001
Description
This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt.
Detection logic
| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY "Authentication.user"
| `drop_dm_object_name(Authentication)`
| lookup ut_shannon_lookup word AS user
| where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1
| sort count, - ut_shannon
| eval incorrect_cred=user
| eval endtime=endtime+1000
| map maxsearches=70 search="
| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" sourcetype IN (\"$sourcetype$\") earliest=\"$starttime$\" latest=\"$endtime$\" BY \"Authentication.user\"
| `drop_dm_object_name(\"Authentication\")`
| `potential_password_in_username_false_positive_reduction`
| eval incorrect_cred=\"$incorrect_cred$\"
| eval ut_shannon=\"$ut_shannon$\"
| sort count"
| where user!=incorrect_cred
| outlier action=RM count
| `potential_password_in_username_filter`