Password Spraying

Shared by
Allan Konar
Advanced

This recipe showcases Quine's ability to identify fraudulent authentication attempts (called password spraying attacks) and issue alerts in real time. Password spraying attacks are designed to avoid drawing attention to themselves. Attempts are spread out over days , weeks, or months. The password spraying recipe ingests password-based authentication logs modeled on the top IAM providers (hosted and on-prem) and generates a graph manifesting the following nodes:

  • attempt - transaction representing a password authentication attempt  
  • user - user that originated the attempt  
  • client - client (computer/mobile/unknown) from which user originated the attempt  
  • asn - ASN from which user originated the attempt  
  • asset - asset (server, service, etc.) that the user targeted  
  • time - time of attempt

The recipe uses one standing query to link authentication attempts attributed to a user temporally with the “NEXT” edge, while the second standing query creates an alert when four failed attempts followed by a successful login occur,  suggesting that a low velocity password spraying attack may have been successfully executed.

In the sample data provided, the attempts are spread out over three months. In a production situation, because it does not impose time windows, Quine could detect an attack spread out over that long a period.

DOWNLOAD SAMPLE DATA

Download to same directory as Quine. Then try it on your own IAM log data.

To run this recipe:

java -jar quine-x.x.x.jar -r passwordspraying 
Download quine
Recipe code:
DOWNLOAD recipeCUSTOMIZE recipe