Brute Force: Credential Stuffing (Windows)

Description

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Identity ExposureActive DirectoryAuthenticated AD userLDAP/S(389/636)Domain User
Tenable Identity ExposurePassword SyncActive DirectoryPrivileged AD userRPC (135 + high ports)User PasswordPlugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-BREACHED-PASSWORD

References

Tenable Identity Exposure DCSync feature

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Technique: Brute Force

Sub-Technique: Credential Stuffing

Platform: Windows

Products Required: Tenable Identity Exposure

Tenable Release Date: 2023 Q3