← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential Password Spraying Attempt Using Dsacls.EXE

Detects possible password spraying attempts using Dsacls

Quality
82
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml
title: Potential Password Spraying Attempt Using Dsacls.EXE
id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c
status: test
description: Detects possible password spraying attempts using Dsacls
references:
    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone
    - https://ss64.com/nt/dsacls.html
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-04
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\dsacls.exe'
        - OriginalFileName: "DSACLS.EXE"
    selection_cli:
        CommandLine|contains|all:
            - '/user:'
            - '/passwd:'
    condition: all of selection*
falsepositives:
    - Legitimate use of dsacls to bind to an LDAP session
level: medium