Porting password spray attack detection in Python

[mfred488]

While trying my luck with SANS' holiday hack challenge this year, I realized that the password spray attack detection was not implemented in Python.

I looked at the PowerShell version, and tried to port the same logic in Python. This seems to work on the example file:

[mfred@localhost DeepBlueCLI]$ python DeepBlue.py evtx/password-spray.evtx 

Distributed Account Explicit Credential Use (Password Spray Attack)
The use of multiple user account access attempts with explicit credentials is 
an indicator of a password spray attack.

Target usernames: Administrator celgee eskoudis jwright smisenar dpendolino thessman
Accessing username: jwrig

[alnash28]

@mfred488 Is this required to complete objective-3 of SANS KringleCon 2019 or not? Seems to be missing as of 1/5/2020. Do you think @eric-conrad will merge this PR?

[mfred488]

@eric-conrad did not give his feedback on the PR yet, so it's not merged yet.

This PR can help if you want to use the Python version DeepBlueCLI to solve objective 3; if you need it, and can't wait for the merge, you can still clone my fork: https://github.com/mfred488/DeepBlueCLI

[alnash28]

@mfred488 Lulz, confession time. I manually applied this PR to the DeepCLI installed, however I havent found the culprit attempting password spraying

[TheRamisNotTaken]

Can u explain the code with full explanation

If you found any pls inform me too