QOMPLX Knowledge: Detecting Password Spraying Attacks

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Much has been written about the sophistication of modern cyber criminals and state-sponsored actors. But the truth is that one of the most common and effective hacking methods is dead simple: guessing a user’s password.

Simple though it is, password guessing is its own art form -  especially when carried out at scale against a population of employees or users. Done properly, so-called “password spraying” attacks can cycle through millions of possible username and password combinations without tipping off defenders that any attacks are taking place. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot password spraying attacks and other excessive login attempts that are often an early indication that an attack is taking place.

Key Points

  • Failed login attempts are a very common activity on enterprise networks, but may also indicate malicious probes and password “spraying” attacks.
  • Automated tools allow attackers to fly below password lockout features while testing the security of hundreds or thousands of accounts.
  • Spotting password spraying attacks is critical to stopping emerging attacks in their early stages.
  • QOMPLX detects password spraying attacks by correlating login behavior from a single host and flagging automated and inauthentic login behavior.

How Password Spraying Attacks Work

Password spraying is a method of password cracking in which an attacker attempts to log in to a large number of user accounts using the same password. These attacks are a common tool for both sophisticated and unsophisticated cyber criminal groups as well as nation-state actors and are designed to gain access to- and control over a trusted user account in a target environment.

Password spraying is a cousin of so-called “brute force” password cracking attacks, but use an obverse method to those attacks. Brute force attacks attempt to crack a small set of user accounts using a long list of possible passwords, trying each password in turn until one works. In contrast, password spraying attacks take a small number of possible passwords and try them against a long list of known user accounts.

These techniques are commonly used by both cyber criminal groups and nation state attackers. Microsoft, for example, warned that the APT group Strontium relied on both brute force and password spraying in attacks targeting companies involved in the development of a COVID-19 vaccine in 2020.

The goal of password spraying attacks is to gain access to the targeted system while avoid triggering password “lockout” features on any single account, which are usually activated following a small (but configurable) number of incorrect password guesses. By moving from one account to the next, spraying attacks can steer clear of account lock-out features. At the same time, a small number of incorrect logins may not trigger suspicion among network administrators, as users commonly forget their login credentials.

Attackers can use any of a long list of free tools to conduct password spraying attacks, including the Metasploit SMB Login module, Medusa, Hydra, BurpSuite and Crackmapexec. Attackers can simply feed files containing usernames and passwords to these tools and let them loose, being careful to avoid any lockout restrictions.

QOMPLX Detection

QOMPLX’s Identity Assurance (IA) product detects password spraying attacks as they happen. Unlike other products, QOMPLX IA monitors for failed login attempts at the host level. That allows the technology to spot suspicious activity, such as attempts to access multiple accounts from the same endpoint. At the same time, IA allows customers to configure thresholds for alerting to suit their environment.

QOMPLX helps its customers with problems like password spraying attacks. If you want to learn more about how QOMPLX can help your company spot signs that may signal a compromise, contact our team now.

Additional Reading

Here are the previous entries in our QOMPLX Knowledge series; look for more in our QOMPLX Knowledge series in the days and weeks ahead:

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Learn More

Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.