Find sigma rule

Attack: Brute Force: Password Spraying

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. ‘Password01’), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

In addition to management services, adversaries may “target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows “logon failure” event ID 4625.

MITRE

Tactic

credential-access

technique

T1110.003

Test : Password Spray all Domain Users

OS

windows

Description:

CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently. This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like “[*] username:password”, whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. Use the get_prereq_command’s to create a list of all domain users in the temp directory called users.txt. See the “Windows FOR Loop Password Spraying Made Easy” blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5

Executor

command_prompt

Sigma Rule

proc_creation_win_susp_local_system_owner_account_discovery.yml (id: 502b42de-4306-40b4-9596-6f590c81f073)
proc_creation_win_rundll32_webdav_client_execution.yml (id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test