Brute Force: Password Spraying (Windows)

Description

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. 

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Identity ExposureActive DirectoryAuthenticated AD userLDAP/S(389/636)Domain User
Tenable Identity ExposurePassword SyncActive DirectoryPrivileged AD userRPC (135 + high ports)User PasswordPlugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-PASSWORD-REUSE-WITHIN-DOMAIN-PRIV, Plugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-PASSWORD-REUSE-WITHIN-DOMAIN

References

Tenable Identity Exposure DCSync feature

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Technique: Brute Force

Sub-Technique: Password Spraying

Platform: Windows

Products Required: Tenable Identity Exposure

Tenable Release Date: 2022 Q3