Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Credential Access/ T1110.003

T1110.003Password Spraying

T1110.003 — Password Spraying is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 45 detection use cases covering it and 2 threat-intel articles citing it.

Credential Access
View on the matrix → Filter Detection Library MITRE official spec ↗
45Use cases
2Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1110 · Brute Force

Use cases covering this technique (45)

Okta user account locked Internal delivery · alerting DD Cisco ASA - User Account Lockout Threshold Exceeded ESCU actions · hunting P Detect Distributed Password Spray Attempts ESCU actions · hunting P Detect Password Spray Attempts ESCU actions · alerting P Okta Multiple Users Failing To Authenticate From Ip ESCU actions · hunting P AWS High Number Of Failed Authentications From Ip ESCU actions · hunting P AWS Multiple Users Failing To Authenticate From Ip ESCU actions · hunting P AWS Unusual Number of Failed Authentications From Ip ESCU actions · hunting P Azure Active Directory High Risk Sign-in ESCU actions · alerting P Azure AD High Number Of Failed Authentications From Ip ESCU actions · alerting P Azure AD Multi-Source Failed Authentications Spike ESCU actions · hunting P Azure AD Multiple Users Failing To Authenticate From Ip ESCU actions · hunting P Azure AD Successful Authentication From Different Ips ESCU actions · alerting P Azure AD Unusual Number of Failed Authentications From Ip ESCU actions · hunting P GCP Multiple Users Failing To Authenticate From Ip ESCU actions · hunting P GCP Unusual Number of Failed Authentications From Ip ESCU actions · hunting P O365 Multi-Source Failed Authentications Spike ESCU actions · hunting P O365 Multiple Users Failing To Authenticate From Ip ESCU actions · alerting P Detect Password Spray Attack Behavior From Source ESCU actions · alerting P Detect Password Spray Attack Behavior On User ESCU actions · alerting P Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos ESCU actions · alerting P Windows Multiple Invalid Users Fail To Authenticate Using Kerberos ESCU actions · alerting P Windows Multiple Invalid Users Failed To Authenticate Using NTLM ESCU actions · alerting P Windows Multiple NTLM Null Domain Authentications ESCU actions · alerting P Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials ESCU actions · alerting P Windows Multiple Users Failed To Authenticate From Host Using NTLM ESCU actions · alerting P Windows Multiple Users Failed To Authenticate From Process ESCU actions · alerting P Windows Multiple Users Failed To Authenticate Using Kerberos ESCU actions · alerting P Windows Multiple Users Remotely Failed To Authenticate From Host ESCU actions · alerting P Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos ESCU actions · hunting P Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos ESCU actions · hunting P Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM ESCU actions · hunting P Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials ESCU actions · hunting P Windows Unusual Count Of Users Failed To Auth Using Kerberos ESCU actions · hunting P Windows Unusual Count Of Users Failed To Authenticate From Process ESCU actions · hunting P Windows Unusual Count Of Users Failed To Authenticate Using NTLM ESCU actions · hunting P Windows Unusual Count Of Users Remotely Failed To Auth From Host ESCU actions · hunting P Windows Unusual NTLM Authentication Destinations By Source ESCU actions · hunting P Windows Unusual NTLM Authentication Destinations By User ESCU actions · hunting P Windows Unusual NTLM Authentication Users By Destination ESCU actions · hunting P Windows Unusual NTLM Authentication Users By Source ESCU actions · hunting P Multiple Okta Users With Invalid Credentials From The Same IP ESCU actions · alerting P Okta ThreatInsight Suspected PasswordSpray Attack ESCU actions · alerting P [LLM] FortiGate SSL-VPN / admin credential brute-force or spray from single source Bespoke delivery · alerting DSPDD [LLM] Iran-aligned MFA push-bombing followed by new auth method registered (AA24-290A) Bespoke actions · alerting DSP

Articles citing this technique (2)

high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS. art-51
crit Cyber fallout from the Iran war: What to have on your radar art-474