Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Распыление пароля
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Распыление пароля
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Brute Force:  Распыление пароля

ID Название
.001 Угадывание пароля
.002 Взлом пароля
.003 Распыление пароля
.004 Подстановка украденных учетных данных

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying) Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following: * SSH (22/TCP) * Telnet (23/TCP) * FTP (21/TCP) * NetBIOS / SMB / Samba (139/TCP & 445/TCP) * LDAP (389/TCP) * Kerberos (88/TCP) * RDP / Terminal Services (3389/TCP) * HTTP/HTTP Management Services (80/TCP & 443/TCP) * MSSQL (1433/TCP) * Oracle (1521/TCP) * MySQL (3306/TCP) * VNC (5900/TCP) In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

ID: T1110.003
Относится к технике:  T1110
Тактика(-и): Credential Access
Платформы: Containers, IaaS, Identity Provider, Linux, macOS, Network, Office Suite, SaaS, Windows
Источники данных: Application Log: Application Log Content, User Account: User Account Authentication
Версия: 1.6
Дата создания: 11 Feb 2020
Последнее изменение: 14 Oct 2024

Примеры процедур
Название Описание
Bad Rabbit

Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.(Citation: Secure List Bad Rabbit)
CrackMapExec

CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.(Citation: CME Github September 2018)
Linux Rabbit

Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. (Citation: Anomali Linux Rabbit 2018)
Sandworm Team

Sandworm Team has used a script to attempt RPC authentication against a number of hosts.(Citation: Dragos Crashoverride 2018)

Agrius

Agrius engaged in password spraying via SMB in victim environments.(Citation: Unit42 Agrius 2023)
Ember Bear

Ember Bear has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.(Citation: CISA GRU29155 2024)
APT29

APT29 has conducted brute force password spray attacks.(Citation: MSRC Nobelium June 2021)(Citation: MSTIC Nobelium Oct 2021)(Citation: NCSC et al APT29 2024)
HEXANE

HEXANE has used password spraying attacks to obtain valid credentials.(Citation: SecureWorks August 2019)
Lazarus Group

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)
APT33

APT33 has used password spraying to gain access to target systems.(Citation: FireEye APT33 Guardrail)(Citation: Microsoft Holmium June 2020)
Silent Librarian

Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.(Citation: DOJ Iran Indictments March 2018)
Chimera

Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.(Citation: NCC Group Chimera January 2021)
MailSniper

MailSniper can be used for password spraying against Exchange and Office 365.(Citation: GitHub MailSniper)
Leafminer

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.(Citation: Symantec Leafminer July 2018)
APT28

APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: Microsoft Targeting Elections September 2020) APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Контрмеры
Контрмера Описание
Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
Password Policies

Set and enforce secure password policies for accounts.
Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

Обнаружение

Monitor authentication logs for system and application login failures of Valid Accounts. Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. Consider the following event IDs:(Citation: Trimarc Detecting Password Spraying) * Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625. * Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771. * All systems: "Audit Logon" (Success & Failure) for event ID 4648.

Ссылки

  1. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  2. US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.
  3. Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.
  4. Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.
  5. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  6. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  7. Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.
  8. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  9. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  10. UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
  11. MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.
  12. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
  13. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  14. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  15. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  16. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  17. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  18. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.
  19. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.
  20. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  21. Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019.
  22. Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.
  23. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  24. Moussa Diallo and Brett Winterford. (2024, April 26). How to Block Anonymizing Services using Okta. Retrieved May 28, 2024.
  25. Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023.
  26. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  27. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
  28. Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.