What is Password Spraying?
Password spraying is when an attacker tries many different user accounts with the same password. Passwords attackers tend to use are common ones that the service desk will give out for password resets such as “Spring2018!” This typically avoids locking out accounts and the attacker can try every username he or she has.
Attackers can password spray any application with a username or password. However, the scope of this post is only going to cover Windows Active Directory
If you want to see how it works for yourself I recommend taking a look dafthack’s DomainPasswordSpray PowerShell script. Don’t do anything illegal or stupid with it and use at your own risk.
Requirements for detection
- Domain Controller logs
- Centralized logging with correlation capabilities (SIEM, ELK, etc.)
Analyzing the windows event log
In order to detect password spraying we need to pay special attention to windows event ID 4625 which means an account failed to log on. Accounts fail to log on all the time. However, if one computer fails to logon with several correct usernames but the wrong password that should be looked in to.
We can actually find all this information by looking at the windows event log. However, we will need the ability to correlate against several different fields in this log. The fields that we need to correlate against are
- Logon Type
- Account Name
- Sub Status
- Workstation Name
- Source Network Address
Some of these fields may need parsed out with your correlation tool. Below is an example of an event 4625.
Security ID: NULL SID
Account Name: –
Account Domain: –
Logon ID: 0x0
Logon Type: 3 < Network login
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Test < Name of account that failed to login
Account Domain: Test
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d < Bad username or password
Sub Status: 0xc000006a < good username bad password
Caller Process ID: 0x0
Caller Process Name: –
Workstation Name: Bob
Source Network Address: 192.168.1.1
Source Port: 12345
Detailed Authentication Information:
Logon Process: NTLMSSP
Authentication Package: NTLM
Transited Services: –
Package Name (NTLM only): –
Key Length: 0
Creating The Correlation Rule
Now that we are a little more familiar with the log we can start making the correlation rule.
To detect password spraying we want to match the same source network address or same workstation name failing to login over the network with 5 different usernames that are correct but passwords that are incorrect over the course of 24 hours.
Hopefully that makes a little sense. Lets try looking at this in log terms.
When the event ID is 4625, logon type is 3, the source network address or source workstation is the same, the status is 0xc000006d , the sub status is 0xc000006a, and the Account name was different 5 times over 24 hours.
In conclusion I know this post may seem like you are trying to drink from the fire hose. Especially if you are not looking at logs all day like me.
The advantage of making correlation rules this granular is that you get a very low false positive rate. The main systems you will need to tune out of this rule are terminal servers if you have them in your environment.
If you have any questions feel free to ask in the comments section below or shoot me a PM in Reddit u/mufassa810