Analytics Story: Active Directory Password Spraying

Date: 2021-04-07 ID: 3de109da-97d2-11eb-8b6a-acde48001122 Author: Mauricio Velazco, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.

Why it matters

In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place. Password Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as $CompanyNameWinter, Summer2021, etc. Specifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the Account Logon and Logon/Logoff Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Distributed Password Spray Attempts Password Spraying, Brute Force Hunting
Detect Password Spray Attempts Password Spraying, Brute Force TTP
Detect Excessive Account Lockouts From Endpoint Valid Accounts, Domain Accounts Anomaly
Detect Excessive User Account Lockouts Valid Accounts, Local Accounts Anomaly
Windows Create Local Account Local Account, Create Account Anomaly
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Password Spraying, Brute Force TTP
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Password Spraying, Brute Force TTP
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Password Spraying, Brute Force TTP
Windows Multiple NTLM Null Domain Authentications Brute Force, Password Spraying TTP
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate From Host Using NTLM Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate From Process Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate Using Kerberos Password Spraying, Brute Force TTP
Windows Multiple Users Remotely Failed To Authenticate From Host Password Spraying, Brute Force TTP
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Authenticate From Process Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Remotely Failed To Auth From Host Password Spraying, Brute Force Anomaly
Windows Unusual NTLM Authentication Destinations By Source Brute Force, Password Spraying Anomaly
Windows Unusual NTLM Authentication Destinations By User Brute Force, Password Spraying Anomaly
Windows Unusual NTLM Authentication Users By Destination Brute Force, Password Spraying Anomaly
Windows Unusual NTLM Authentication Users By Source Brute Force, Password Spraying Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Azure Active Directory Sign-in activity Azure icon Azure azure:monitor:aad Azure AD
Windows Event Log Security 4625 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4648 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4768 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4771 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4776 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 2