Password Spraying
https://attack.mitre.org/techniques/T1110/003/
Last updated
Was this helpful?
https://attack.mitre.org/techniques/T1110/003/
Last updated
Was this helpful?
ATT&CK ID:
Permissions Required: User
Description
Adversaries may use a single or small list of commonly used passwords against many different accounts, in order to attempt acquisition of valid account credentials.
Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
[]
Link:
In the scenario below we have a Windows Server 2022 Domain Controller containing the following domain user accounts:
In an enterprise environment we might imagine Active Directory would contain hundreds even thousands of domain user accounts. Below we can see the Default Domain Policy for the 'Account Policies/Account Lockout Policy' setting.
The settings show above are the generally the default lockout settings you will find in domain environments. With the default settings, a Bruce Force attack is possible however, severely hindered by the 30 minute lockout timer.
We also have the issue where locking out accounts is 'noisy' and may trigger alerts against the enterprise's blue team.
The advantage here of password spraying is we can attempt to Brute Force a large amount of accounts against a very small common password lists and hope for a hit. As long the attackers stay below the lockout thresh hold this attack can be quite stealthy.
Below a single user account has been Brute Forced with a large password list locking the account out.
Over on the Domain Controller we can see under the event logs for event ID 4740 where the account was locked out.
Attempting to spray passwords against a list of known users we see some nice results using a small password list which is short enough to not trigger the account lockout for each account.
Account Lockout Policies
Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.
Password Policies
Global Banned password list
Use Microsoft's global banned password list. Requires a hybrid setup with Azure Active Directory. Uses Microsoft Entra telementry to prevent users from setting passwords that are known to be common, weak and contained within database breaches
Playbook
Refer to the following playbook mostly geared towards Azure but contains some great information
Github:
Account Lockout Duration:
Account Lockout Threshold:
Reset Account Lockout Counter:
Password Policies:
Hybrid:
On-Premise:
