Potential Password Spraying Attempt Using Dsacls.EXE

Detects possible password spraying attempts using Dsacls

Sigma rule (View on GitHub)

 1title: Potential Password Spraying Attempt Using Dsacls.EXE
 2id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c
 3status: test
 4description: Detects possible password spraying attempts using Dsacls
 5references:
 6    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone
 7    - https://ss64.com/nt/dsacls.html
 8    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/06/20
11modified: 2023/02/04
12tags:
13    - attack.execution
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\dsacls.exe'
21        - OriginalFileName: "DSACLS.EXE"
22    selection_cli:
23        CommandLine|contains|all:
24            - '/user:'
25            - '/passwd:'
26    condition: all of selection*
27falsepositives:
28    - Legitimate use of dsacls to bind to an LDAP session
29level: medium

References

Related rules

to-top