Suspicious Connection to Remote Account
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Sigma rule (View on GitHub)
1title: Suspicious Connection to Remote Account
2id: 1883444f-084b-419b-ac62-e0d0c5b3693f
3status: test
4description: |
5 Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
6 Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
9author: frack113
10date: 2021-12-27
11tags:
12 - attack.credential-access
13 - attack.t1110.001
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains:
21 - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
22 - 'System.Net.NetworkCredential'
23 - 'System.DirectoryServices.Protocols.LdapConnection'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- HackTool - Hydra Password Bruteforce Execution
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU