Detections
Analytics
Brute Force: Password Spraying (Windows)
Description
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Active Directory | Authenticated AD user | LDAP/S(389/636) | Domain User | ||
| Tenable Identity Exposure | Password Sync | Active Directory | Privileged AD user | RPC (135 + high ports) | User Password | Plugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-PASSWORD-REUSE-WITHIN-DOMAIN-PRIV, Plugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-PASSWORD-REUSE-WITHIN-DOMAIN |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: Brute Force
Sub-Technique: Password Spraying
Platform: Windows
Products Required: Tenable Identity Exposure
Tenable Release Date: 2022 Q3