In this blog post, we’ll be talking about Password Spraying and how we can use StealthDEFEND to defend ourselves against this type of attack.
Introduction to Password Spraying
Password Spraying is a technique attackers leverage to guess the passwords of accounts by trying a small number of highly common passwords against a large number of accounts while also staying below an organization’s defined lockout threshold. This allows an attacker to compromise accounts without any elevated privileges and masking themselves from detection by blending in with “normal” authentication activity.
A typical approach may first involve an attacker utilizing a list of all known users in an organization or a list of statistically likely usernames, and combining this with a list of common or likely passwords such as “Winter2019” or “Spring2019!”. With these resources in hand, an attacker can begin the “spray”.
For each password, we will try to authenticate for each user in our user list. Once we have used our first common password for each user account, we’ll pause and then try the next password for every user as well. This process will continue until we have tried every password for every account, making a note of any “hits” along the way. We’ll also include a number of pauses between each new password we attempt to ensure we avoid any lockouts.
These attacks will typically happen internally on the domain using a variety of scripts or even externally such as spraying against externally available Outlook Web Access.
As rudimentary of a process as this sounds, Password Spraying is often a very successful tactic of RedTeamers, PenTesters, and Attackers a-like.
Usage of strong passwords and additional layers of authentication security can go a long way to mitigate this issue, but for many organizations, these protections can be difficult to implement.
Password Spraying Detection with StealthDEFEND
StealthDEFEND has threat detection built specifically for Password Spraying. This detection was built to analyze Active Directory Authentication events for common patterns associated with Password Spraying. These patterns identify scenarios where a large number of accounts are attempted very quickly and when accounts are “slowly” attempted over the course of many hours/days.
When Password Spraying is detected, StealthDEFEND will display a summary of the activity, a graphical representation of the activity, and a number of key points of evidence.
Password Spraying Threat Response with StealthDEFEND
Responding to a Password Spraying attack quickly and efficiently will limit the capability of an attacker to use the breached account.
The Response capabilities of StealthDEFEND provide a number of options for responding to Password Spraying threats. The most common response would be to utilize the various Active Directory actions to Reset the Password of the account and to force a Password Change at Next Login for users affected by the Password Spraying attack.
StealthDEFEND has the context of “Affected Users” of a threat so even if one or many users have had their accounts compromised by password spraying, we can respond appropriately.
Due to the Automated Context Injection capabilities of StealthDEFEND, we also know the client that was the source of the Password Spray attack and can utilize this information in our response. Having this information gives us additional threat response options to potentially allow us to remove this client’s access to the network or utilize another method of direct intervention such as using a PowerShell Script to interact with an endpoint solution.
While the direct approach of restricting access and/or locking down accounts can certainly be effective in stopping an attack, even by simply utilizing the information gathered by StealthDEFEND we can notify and enable our teams to respond to the attack. By integrating with a number of third-party products such as Slack, Microsoft Teams, and ServiceNow we are able to easily have our teams be notified of an attack and provide them the information they need to resolve the issue quickly and efficiently.
Next week, I will be blogging on LDAP Reconnaissance. Stay tuned!