Potential Password Spraying Attempt Using Dsacls.EXE
Detects possible password spraying attempts using Dsacls
Sigma rule (View on GitHub)
1title: Potential Password Spraying Attempt Using Dsacls.EXE
2id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c
3status: test
4description: Detects possible password spraying attempts using Dsacls
5references:
6 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone
7 - https://ss64.com/nt/dsacls.html
8 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/06/20
11modified: 2023/02/04
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\dsacls.exe'
21 - OriginalFileName: "DSACLS.EXE"
22 selection_cli:
23 CommandLine|contains|all:
24 - '/user:'
25 - '/passwd:'
26 condition: all of selection*
27falsepositives:
28 - Legitimate use of dsacls to bind to an LDAP session
29level: medium
References
-
-
DSACLS.exe (installable option via RSAT /AD DS) View or Edit ACLs (access control entries) for objects in Active Directory. Syntax DSACLS "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [Permi...
Read More
Related rules
- Execute Files with Msdeploy.exe
- MSI Installation From Web
- Malicious Windows Script Components File Execution by TAEF Detection
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE
- Potentially Suspicious Child Process Of DiskShadow.EXE