Analytics Story: Active Directory Password Spraying
Description
Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.
Why it matters
In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.
Password Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as $CompanyNameWinter
, Summer2021
, etc.
Specifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the Account Logon
and Logon/Logoff
Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
Azure Active Directory Sign-in activity | Azure | azure:monitor:aad |
Azure AD |
Windows Event Log Security 4625 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4648 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4768 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4771 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4776 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
References
- https://attack.mitre.org/techniques/T1110/003/
- https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)
Source: GitHub | Version: 2