← Library
splApache-2.0from splunk/security_content

Potential password in username

The following analytic identifies instances where users may have mistakenly entered their passwords in the username field during authentication attempts. It detects this by analyzing failed authentication events with usernames longer than 7 characters and high Shannon entropy, followed by a successful authentication from the same source to the same destination. This activity is significant as it can indicate potential security risks, such as password exposure. If confirmed malicious, attackers could exploit this to gain unauthorized access, leading to potential data breaches or further compromise of the system.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/potential_password_in_username.yml
| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication
  WHERE nodename=Authentication.Failed_Authentication
  BY "Authentication.user"
| `drop_dm_object_name(Authentication)`
| lookup ut_shannon_lookup word AS user
| where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1
| sort count, - ut_shannon
| eval incorrect_cred=user
| eval endtime=endtime+1000
| map maxsearches=70 search="
| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication
  WHERE nodename=Authentication.Successful_Authentication Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" sourcetype IN (\"$sourcetype$\") earliest=\"$starttime$\" latest=\"$endtime$\" BY \"Authentication.user\"
| `drop_dm_object_name(\"Authentication\")`
| `potential_password_in_username_false_positive_reduction`
| eval incorrect_cred=\"$incorrect_cred$\"
| eval ut_shannon=\"$ut_shannon$\"
| sort count"
| where user!=incorrect_cred
| outlier action=RM count
| `potential_password_in_username_filter`
Potential password in username · SPL rule | DetectionLint