L1140-Blue: The Hunt for Domain Password Spray
Complementing L1140-Red, in this Lab we will be hunting for the trail of IoCs that were the result of downloading and executing Domain Password Spray Tools.
- Spend more time in the Kibana dashboard.
- Review Event Code 4625
- Check ElastAlert
- Discuss Sigma Applicability
- Off-Road on Brute-Forcing
Connect to the Helk service. Begin hunting for evidence of a suspicious activity based on event log types related to massive credentialing attempts.
Event Code 4625
Lets kickoff the hunt! Login to the WS01 system and access Kibana.
Login to Member Server (WS01)
Connect via Remote Desktop to the Member Server (WS01).
See Lab L0200 for connection instructions.
Access Kibana on the (H)ELK SIEM
Using Chrome or Internet Explorer on Member Server, access the Kibana URI and login using the credentials below.
URL: https://10.10.98.20
Useranme: helk
Password: hunting
Event Code Hunt 4625
Open the Kibana interface
- Select log index logs-endpoint-winevent-security-*
- Search for event.code : 4625
logs-endpoint-winevent-security-*
event_id: 4624 or event_id: 4625
The results will differ slightly, but approximately 212 instances of Event ID 4624 be captured for each iteration of DomainPasswordSpray.
 |
|---|
The individual events appear as follows, and as seen in the following screenshot; click to expand the document. Once expanded, more investigations will be completed in the next section of this lab.
 |
|---|
You have identified the Event Log types 4625 (failed) and 4624 (succeeded) that is generated when Domain Password Spray is executed across the domain. Continue in the next section of the lab to refine the identification of the execution.
Off-Roading with Domain Password Spray
Safari's sometimes have to start at home-camp. Login to the domain controller and open the Event Viewer. Then, select the "Security" event log. Click on filter log and we will filter with event-ids 4624, and 4625. These are very common event-ids and are normal activity for a Domain Controller's Directory Service authentication protocol services.
Open Security Event Log on DC01
- Connect (RDP) to the Domain Controller, DC01.
- Open the Event Viewer.
 |
|---|
Filter Security Event Log on DC01
- Press Filter current Log
- Enter 4624,4625 in the Event ID field.
- Accept the dialog configuration and review the returned filtered event log.
 |
|---|
- Does this behavior look appropriate?
- Can you tell looking at event-ids 4624 and 4625 event logs in the Event Log Viewer that anything has occurred?
- You may see many 4624, is that normal?
- Remember, 4624 and 4625 are normal behavior for a Domain Controller's operation.
Close the Event Viewer, disconnect RDP from DC01, and return to Kibana.
Checking Kibana for 4624 and 4625
Access Kibana on the (H)ELK SIEM
Using Chrome or Internet Explorer on Member Server, access the Kibana URI and login using the credentials below.
URL: https://10.10.98.20
Useranme: helk
Password: hunting
Query for 4624 and 4625.
Now that additional time has passed since the password spray occurred, it may be possible to compare the 4624 and 4625 event-ids off their baseline to see if the Domain Password Spray caused an anomaly.
event_id: 4624 or event_id: 4625
 |
|---|
After visualizing the spike in Kibana, it becomes quite apparent that some event occurred at the specific time, indicated by the spike in the time graph.
ElastAlert and Log volume spike.
Remember ElastAlerts role of monitoring new logs in Elastic at certain intervals for aggregate analysis? The below ElastAlert configuration has been previously configured. Review the example_Spike.yaml configuration file at the ElastAlert GitHub Repo.
Take note of the configuration options
- timeframe hours
- spike_height
- spike_type
- filter
How could the ElastAlert spike filter have helped us in hunting for the Domain Password Spray?
Spike Analysis
Continue in Kibana by drilling down on the spike log data.
 |
|---|
Continue to narrow down the results until the time window is small enough to search logs for common patterns. This will require experimentation.
event_id: 4624 or event_id: 4625
Expand the documents.
- Which items of the documents would be useful to add to the table as a column?
Here is a potential example:
 |
|---|
At this point, it is quite obvious that a password spray occurred.
- But, what was the impact of the password spray? Do we need an IR investigation?
Buried in the Audit Failures (4624) should be the successful authentication (4625) of mona.ballard that we witness during the password spray attack. By looking inside the short interval of the volume-spike, you are able to find all successful authentications during that period.
 |
|---|
- Do you have enough information in Kibana to determine if the successful login of mona.ballard was part of the Domain Password Spray attack, or just a coincidental successful login during the password spray attack?
Do we need an IR investigation?
(yes, the answer is yes.)
Mitre ATT&CK Mapping
Review the Mitre attack T1110.003.
https://attack.mitre.org/beta/techniques/T1110/003/
- Does it apply into this scenario?
- How could we use this information to further hunt or build a defense?
ElastAlert Sigma Rule
Check the ElastAlert indices during the same time-frame as the spike.
- Were there interesting entries found during the spike of event-ids 4624 and 4625?
- How can these documents help us better understand the attack, our hunt, and how we could defend?
 |
|---|
Consider the attack pathology and what you have learned about how the attack works by inspecting threat optics.
Detection and Defense
While it is possible to identify a password spray, it is much more difficult to prevent them. Threat detection of spikes in credential validation attempts as an incident. If a successful login occurs, investigate as there is real possibility the account has been compromised.
- Strong password policies can limit the effects of a password spray.
- Application Firewalls can prevent external authentication password sprays (WAF & Secure CDN)
You have completed this lab.
created with the free version of
Markdown Monster