-
Notifications
You must be signed in to change notification settings - Fork 375
/
Copy pathactive_directory_password_spraying.yml
46 lines (44 loc) · 2.78 KB
/
active_directory_password_spraying.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Active Directory Password Spraying
id: 3de109da-97d2-11eb-8b6a-acde48001122
version: 2
date: '2021-04-07'
author: Mauricio Velazco, Splunk
description: Monitor for activities and techniques associated with Password Spraying
attacks within Active Directory environments.
narrative: 'In a password spraying attack, adversaries leverage one or a small list
of commonly used / popular passwords against a large volume of usernames to acquire
valid account credentials. Unlike a Brute Force attack that targets a specific user
or small group of users with a large number of passwords, password spraying follows
the opposite aproach and increases the chances of obtaining valid credentials while
avoiding account lockouts. This allows adversaries to remain undetected if the target
organization does not have the proper monitoring and detection controls in place.
Password Spraying can be leveraged by adversaries across different stages in an
attack. It can be used to obtain an iniial access to an environment but can also
be used to escalate privileges when access has been already achieved. In some scenarios,
this technique capitalizes on a security policy most organizations implement, password
rotation. As enterprise users change their passwords, it is possible some pick predictable,
seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.
Specifically, this Analytic Story is focused on detecting possible Password Spraying
attacks against Active Directory environments leveraging Windows Event Logs in the
`Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents
16 detection analytics which can aid defenders in identifying instances where one
source user, source host or source process attempts to authenticate against a target
or targets using a high or statiscally unsual, number of unique users. A user, host or process
attempting to authenticate with multiple users is not common behavior for legitimate
systems and should be monitored by security teams. Possible false positive scenarios
include but are not limited to vulnerability scanners, remote administration tools,
multi-user systems and missconfigured systems. These should be easily spotted when
first implementing the detection and addded to an allow list or lookup table. The
presented detections can also be used in Threat Hunting exercises.'
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection