Find sigma rule
Attack: Brute Force: Password Spraying
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. ‘Password01’), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:
- SSH (22/TCP)
- Telnet (23/TCP)
- FTP (21/TCP)
- NetBIOS / SMB / Samba (139/TCP & 445/TCP)
- LDAP (389/TCP)
- Kerberos (88/TCP)
- RDP / Terminal Services (3389/TCP)
- HTTP/HTTP Management Services (80/TCP & 443/TCP)
- MSSQL (1433/TCP)
- Oracle (1521/TCP)
- MySQL (3306/TCP)
- VNC (5900/TCP)
In addition to management services, adversaries may “target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows “logon failure” event ID 4625.
MITRE
Tactic
- credential-access
technique
- T1110.003
Test : Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
OS
- windows
Description:
Attempt to brute force all Active Directory domain users with a single password (called “password spraying”) on a domain controller, via LDAP, with NTLM or Kerberos
Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users)
Executor
powershell
Sigma Rule
-
proc_creation_win_hktl_mimikatz_command_line.yml (id: a642964e-bead-4bed-8910-1bb4d63e3b4d)
-
posh_ps_susp_networkcredential.yml (id: 1883444f-084b-419b-ac62-e0d0c5b3693f)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)