Detecting Password Spraying Attacks: Threat Research Release May 2021

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

The Splunk Threat Research team recently developed a new analytic story to help security operations center (SOC) analysts detect adversaries executing password spraying attacks against Active Directory environments. In this blog, we’ll walk you through this analytic story, demonstrate how we can simulate these attacks using PurpleSharp, collect and analyze the Windows event logs, and highlight a few detections from the May 2021 releases. Watch the video below to learn more about how we can simulate and detect password spraying attacks using PurpleSharp in a lab environment built with the Splunk Attack Range.

Password spraying (T1110.003) is a technique by which adversaries leverage a single password or a small list of commonly used passwords against a large group of usernames to acquire valid account credentials. Unlike a brute force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite approach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place. Penetration testers, cybercriminals as well as nation-state actors have been known to leverage this effective technique.

Password spraying can be leveraged by adversaries across different stages in a breach. It can be used to obtain initial access to an environment but can also be used to escalate privileges when access has been already achieved. In many scenarios, this technique ironically capitalizes on a common security control deployed by organizations: password rotation. As enterprise users change their passwords when they expire, some of them may pick predictable, seasonal passwords such as “Summer2021”.

Specifically, this Analytic Story is focused on detecting potential password spraying attacks against Active Directory environments in two scenarios where an attacker has obtained access to the target network:

• An adversary has obtained physical access to the network with a rogue device and can perform spraying attacks against internal hosts.
• An adversary is controlling a domain endpoint previously compromised and is leveraging it to perform spraying attacks.

In properly monitored Active Directory environments, there are several detection opportunities to identify password spraying attacks. This analytic story presents eight different detection analytics that leverage Windows event logs which can aid defenders in identifying instances where a single user, source host, or source process attempts to authenticate against a target or targets using a high and unusual number of unique users. A user, host, or process attempting to authenticate with multiple users is not common behavior for legitimate systems, and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and misconfigured systems.

Why Should You Care?

Password spraying is leveraged by all sorts of offensive actors including penetration testing consultants, cyber crime actors as well as cyber espionage actors (including corporate espionage). It’s an effective technique available to adversaries to obtain valid account credentials. Unlike other password-based attacks like brute forcing, spraying accounts allows adversaries to remain undetected by avoiding account lockouts.

According to the Verizon’s 2020 Data Breach Investigations Report, more than 80 percent of breaches within the “Hacking” category “involve brute force or the use of lost or stolen credentials.”

Cyber defenders need to design and deploy effective monitoring capabilities that allow them to detect and respond to password spraying attacks against Active Directory as well as other authentication services.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. In the upcoming weeks, the Splunk Threat Research team will be releasing a more detailed blog post on this analytic story. Stay tuned!

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Mauricio Velazco for his contributions to this post and open source security tools.