Password Spraying

Shared by
Allan Konar

This recipe showcases Quine's ability to identify fraudulent authentication attempts (called password spraying attacks) and send alerts in real time. Password spraying attacks are designed to avoid drawing attention to themselves. Attempts are spread out over days , weeks, or months. The password spraying recipe ingests password-based authentication logs modeled on the top IAM providers (hosted and on-prem) and generates a graph manifesting the following nodes:

  • attempt - transaction representing a password authentication attempt  
  • user - user that originated the attempt  
  • client - client (computer/mobile/unknown) from which user originated the attempt  
  • asn - ASN from which user originated the attempt  
  • asset - asset (server, service, etc.) that the user targeted  
  • time - time of attempt

The recipe uses one standing query to link authentication attempts attributed to a user temporally with the “NEXT” edge, while the second standing query creates an alert when four failed attempts followed by a successful login occur,  suggesting that a low velocity password spraying attack may have been successfully executed.

In the sample data provided, the attempts are spread out over three months. In a production situation, because it does not impose time windows, Quine could detect an attack spread out over that long a period.

Download the sample data file to same directory as Quine or use the command line instructions provided below. Then try it on your own IAM log data.

To run this recipe:
> curl -L -o attempts.json
java -jar quine-x.x.x.jar -r passwordspraying 
Download quine
Recipe code: