Brute Force: Password Spraying (Windows)

Description

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. 

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable.adActive DirectoryAuthenticated AD userLDAP/S(389/636)Domain User
Tenable.adPassword SyncActive DirectoryPrivileged AD userRPC (135 + high ports)User PasswordPlugin ID: C-PASSWORD-HASHES-ANALYSIS

References

T.ad DCSync feature

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Technique: Brute Force

Sub-Technique: Password Spraying

Platform: Windows

Products Required: Tenable.ad

Tenable Release Date: 2022 Q3