Suspicious Connection to Remote Account
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Sigma rule (View on GitHub)
1title: Suspicious Connection to Remote Account
2id: 1883444f-084b-419b-ac62-e0d0c5b3693f
3status: test
4description: |
5 Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
6 Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
9author: frack113
10date: 2021/12/27
11tags:
12 - attack.credential_access
13 - attack.t1110.001
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains:
21 - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
22 - 'System.Net.NetworkCredential'
23 - 'System.DirectoryServices.Protocols.LdapConnection'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low
References
Related rules
- Access to Browser Login Data
- Create Volume Shadow Copy with Powershell
- NTLM Brute Force
- Request A Single Ticket via PowerShell
- Suspicious Get-ADReplAccount