Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-04-07
  • Author: Mauricio Velazco, Splunk
  • ID: 3de109da-97d2-11eb-8b6a-acde48001122

Narrative

In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.
Password Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as $CompanyNameWinter, Summer2021, etc.
Specifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the Account Logon and Logon/Logoff Advanced Audit Policy categories. It presents 9 detection analytics which can aid defenders in identifyng instances where one source user, source host or source process attempts to authenticate against a target or targets using a high, unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.

Detections

Name Technique Type
Multiple Disabled Users Failing To Authenticate From Host Using Kerberos Password Spraying, Brute Force Anomaly
Multiple Invalid Users Failing To Authenticate From Host Using Kerberos Password Spraying, Brute Force Anomaly
Multiple Invalid Users Failing To Authenticate From Host Using NTLM Password Spraying, Brute Force Anomaly
Multiple Users Attempting To Authenticate Using Explicit Credentials Password Spraying, Brute Force Anomaly
Multiple Users Failing To Authenticate From Host Using Kerberos Password Spraying, Brute Force Anomaly
Multiple Users Failing To Authenticate From Host Using NTLM Password Spraying, Brute Force Anomaly
Multiple Users Failing To Authenticate From Process Password Spraying, Brute Force Anomaly
Multiple Users Remotely Failing To Authenticate From Host Password Spraying, Brute Force Anomaly

Reference

source | version: 1