search

sans-blue-team / DeepBlueCLI

GNU General Public License v3.0
2.19k stars 355 forks source link

Add password spray detection, sample evtx #10

Closed joswr1ght closed 5 years ago

joswr1ght commented 5 years ago

Summary

Added password spray detection using Security Event ID 4648 A logon was attempted using explicit credentials. and thresholding metrics (6 login attempts over 6 different usernames).

Attack

@FOR /F %p in (pass.txt) DO @FOR /F %n in (users.txt) DO @echo Trying %n with %p && @net use \\172.16.144.128\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\172.16.144.128\IPC$ > NUL

Notes

This detects the thresholded logon attempts using explicit credentials, but I don't have access to a proper AD environment to determine if this will also generate false-positives. The threshold values $passsprayuniqusermax and $passsprayloginmax may need to be tweaked.

Trivia

smisenar is a username entered twice in my users.txt file so there are 2x as many attempts to compromise his account than any others. 😂

tripmine253 commented 5 years ago

Thanks!

On Tue, Apr 30, 2019 at 16:18 Joshua Wright notifications@github.com wrote:

Summary

Added password spray detection using Security Event ID 4648 A logon was attempted using explicit credentials. and thresholding metrics (6 login attempts over 6 different usernames). Attack

@FOR /F %p in (pass.txt) DO @FOR /F %n in (users.txt) DO @echo Trying %n with %p && @net use \172.16.144.128\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \172.16.144.128\IPC$ > NUL

Notes

This detects the thresholded logon attempts using explicit credentials, but I don't have access to a proper AD environment to determine if this will also generate false-positives. The threshold values $passsprayuniqusermax and $passsprayloginmax may need to be tweaked. Trivia

smisenar is a username entered twice in my users.txt file so there are 2x as many attempts to compromise his account than any others. 😂

You can view, comment on, or merge this pull request online at:

https://github.com/sans-blue-team/DeepBlueCLI/pull/10 Commit Summary

  • Add password spray detection, sample evtx

File Changes

Patch Links:

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sans-blue-team/DeepBlueCLI/pull/10, or mute the thread https://github.com/notifications/unsubscribe-auth/AAVXVBGAM6S5IPC2XWD5SRLPTCZSJANCNFSM4HJQIBRQ .