Name:
Brute Forcing Hunt 4 Hunt
TTP:
T1098 Account Manipulation, T1098.005 Account Manipulation: Device Registration, T1110 Brute Force, T1110.003 Brute Force: Password Spraying, T1133 External Remote Services, T1589 Gather Victim Identity Information, T1556.006 Modify Authentication Process: Multi-Factor Authentication, T1621 Multi-Factor Authentication Request Generation, T1572 Protocol Tunneling, T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting, T1078 Valid Accounts, T1078.004 Valid Accounts: Cloud Accounts
Hypothesis:
The threat actor will use brute force and password spraying to target multiple accounts until one is successfully compromised. Once in, the threat actor will attempt to gather credentials and other information about the network to sell.
Campaign Type:
TTP Driven
Data Sources:
Authentication logs, network perimeter logs, and any logs that track how users are accessing the network.
Tools:
- HELK
- PowerShell
- Splunk
- Jupyter Notebooks
- Sysmon
- Windows Event Logs
- Splunk
- Elastic Beats
- OSquery
Scenario:
Initial Access: Threat actor uses brute force and password spraying to target multiple accounts.
Defense Evasion: Threat actor uses a VPN.
Persistence: Threat actor modifies MFA settings.
Credential Access: Threat actor performs Kerberoasting.
Discovery: Threat actor uses LOLBins to gather information on the network.
Hunting Strategy:
Analyze authentication logs for failed log-in attempts. Search through network perimeter logs for connections that used a VPN. Analyze logs that track user network access for unexpected log-ins. Search for any commonalities between accounts that were targeted. If a compromised account is found, search for any suspicious process execution or an increase in outbound connections.
False Positive Consideration:
Failed log-in attempts happen all the time. There could be many instances of employees using VPNs to access the network. Employees could be accessing the network from multiple locations.
Recommendations:
Implement strong password policies and require a second form of authentication. Mandate phishing-resistant MFA. Ensure password policies align with NIST standards.
D3 Diagram: