Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1262: Analytic 1262

Multiple failed authentication attempts using distinct username/password pairs from a single IP address or session within a short time window, targeting common services like RDP or SMB

EnterpriseAN1262AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1262 describes a Windows-focused detection analytic for spotting many failed logons from one IP address or session, using different username/password pairs against services such as RDP or SMB. For leaders, the practical value is early visibility into password-guessing or credential-testing pressure before it becomes an access or service-availability incident. Its usefulness depends less on the analytic name and more on whether authentication logs, source IP/session context, and service details are collected consistently enough to separate hostile bursts from user error or approved testing.

Executive priority

Prioritize this analytic where RDP, SMB, or other Windows authentication surfaces are material to business operations. It supports identity security, SOC readiness, incident triage, and compliance evidence by showing whether the organization can identify abnormal failed-authentication patterns quickly. Key leadership questions: Are failed logons centrally collected? Can teams tie attempts to a source IP or session? Are exposed or sensitive Windows services monitored? Is there an escalation path when repeated failures suggest credential attack activity?

Technical view

SOC and detection teams should validate that Windows authentication events include failed logon status, target username, source IP or session identifier, timestamp, and service context such as RDP or SMB where available. The analytic logic should look for multiple failed authentication attempts using distinct username/password pairs from a single IP address or session within a short time window. Because no official detection logic or ATT&CK tactic is supplied, local implementation must define thresholds, time windows, service scope, and suppression rules. IR teams should be prepared to pivot from the triggering IP/session to targeted accounts, affected hosts, authentication services, and any subsequent successful logons.

Likely telemetry

  • Windows failed authentication events
  • Source IP address or session identifiers associated with logon failures
  • Target usernames involved in failed attempts
  • Service or protocol context for RDP, SMB, or other common Windows authentication services
  • Timestamps sufficient for short-window correlation

Detection direction

  • Confirm the environment collects failed logon events from Windows systems where RDP or SMB authentication is relevant.
  • Tune thresholds for distinct username/password-pair failures from a single IP or session within a short period; thresholds should reflect normal helpdesk activity, vulnerability scanning, password audits, and administrative testing.
  • Correlate failed bursts with any later successful authentication from the same source or against the same accounts to support incident triage.
  • Watch for blind spots where network address translation, proxies, jump hosts, VPN concentrators, or incomplete host logging obscure the true source.
  • Avoid treating volume alone as conclusive; require enough context to distinguish mistyped credentials, service misconfiguration, scheduled jobs, or authorized testing from suspicious authentication behavior.

Mitigation priorities

  • Ensure Windows authentication logs for relevant services are enabled, retained, and forwarded to the SOC or logging platform.
  • Reduce unnecessary exposure of RDP, SMB, and other Windows authentication services, especially from untrusted networks.
  • Apply identity controls appropriate to the environment, such as account lockout policy, strong password policy, and multifactor authentication where supported.
  • Define investigation playbooks for repeated failed-authentication bursts, including account review, source containment decisions, and checks for follow-on successful logons.
  • Use detection results as evidence for identity monitoring, incident response readiness, and compliance control validation rather than as a standalone prevention control.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic fields. The object is a detection analytic, not a technique entry, and no relationship context, tactic mapping, or official detection implementation was provided. The description supports a Windows authentication-monitoring use case focused on repeated failed attempts from one source or session against services such as RDP or SMB.

Local environment evidence is required to define time windows, thresholds, service coverage, and acceptable administrative activity. The supplied fields do not support claims about active exploitation, attribution, prevalence, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 1262

Multiple failed authentication attempts using distinct username/password pairs from a single IP address or session within a short time window, targeting common services like RDP or SMB

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4731be7fb7fd9a35...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4731be7fb7fd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1262
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use