Potential Password Spraying Attempt Using Dsacls.EXE

 1title: Potential Password Spraying Attempt Using Dsacls.EXE
 2id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c
 3status: test
 4description: Detects possible password spraying attempts using Dsacls
 5references:
 6    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone
 7    - https://ss64.com/nt/dsacls.html
 8    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-06-20
11modified: 2023-02-04
12tags:
13    - attack.defense-evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\dsacls.exe'
21        - OriginalFileName: "DSACLS.EXE"
22    selection_cli:
23        CommandLine|contains|all:
24            - '/user:'
25            - '/passwd:'
26    condition: all of selection*
27falsepositives:
28    - Legitimate use of dsacls to bind to an LDAP session
29level: medium

References

• Enumerating AD Object Permissions with dsacls | Red Team Notes

  

  Enumeration, living off the land

  
  Read More

• DSACLS - Directory Service ACLs - Windows CMD - SS64.com

  DSACLS.exe (installable option via RSAT /AD DS) View or Edit ACLs (access control entries) for objects in Active Directory. Syntax DSACLS "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [Permi...

  
  Read More

• Dsacls

  

  Dsacls Article 08/31/2016 Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8 Displays and changes permissions...

  
  Read More

Related rules

• Abusing Print Executable
• AddinUtil.EXE Execution From Uncommon Directory
• AgentExecutor PowerShell Execution
• Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
• Arbitrary File Download Via MSOHTMED.EXE