Password Spraying
Finding the source of Windows password spraying attacks can be daunting as the Event log does not provide the source IP of the machine making the calls.
Windows Event Logs
Ideally all of your Windows Event logs from your domain controllers should be going in to some type of SIEM. I will be using Graylog in this example.
In this case we will be looking for accounts with failed login attempts by looking at Event ID 8004 (which will actually log the true source computer).
Group Policy Configuration
To ensure that EventID 8004 is being logged you need to enable the following via Windows Group Policy (on the domain controllers):
Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
Network security: Restrict NTLM: Audit Incoming NTLM Traffic = Enable auditing for all accounts
Graylog Query
In my case the password spraying malware was always trying usernames with capital letters. This was my search query:
EventID:8004 AND UserName:/[A-Z0-9\s]+/
You should be sorting your data based on the UserName and stacking it with the field “SChannelName” and “Workstation name”
EventID 8004
I like the description of EventID 8004 from the book Windows Security Monitoring: Scenarios and Patterns By Andrei Miroshnikov:
8004 is a dedicated event for NTLM-family protocol credentials validation requests. It generates for both successful and unsuccessful authentication requests.
These are the important fields to look at
Secure Channel Name
Contains information about the authentication target/destination hostname.
Secure Channel Type
The type of secure channel through which the authentication request was received by the domain controller
User Name
Shows the name of the domain account for which credentials were validated
Workstation Name
Contains information about the source host from which an authentication request was received by the destination host
Packet Capture
Once you have identified the source machine you may want to take a packet capture to see the attack realtime. In this case I recommend taking a packet capture from the source machine or the domain controller where you found the corresponding EventID 8004 entries.
Microsoft Network Monitor
I recommend using Microsoft Network Monitor as it works well with Windows Domain Controllers
First configure the parser profile to Windows:
- Menu Tools -> Options
- Select tab “Parser Profiles”
- In the list, Select “Windows”
- Click the button “Set as Active”
- If you are running a capture restart it
If the attacking computer’s address resolved to 10.1.10.79 this would be your query:
IPv4.Address == 10.1.10.79 AND Description == "NRPC:NetrLogonSamLogonWithFlags Request, *Encrypted*"
Without Additional Software
If you want to take a packet capture without installing additional software (which is very handy for endpoints) you can use netsh.exe
Below is an example to take an 800 MB packet capture and save the output to C:\admin\capture\NetTrace2.etl
C:\windows\system32\Netsh.exe trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=800 fileMode=single correlation=yes traceFile=C:\admin\capture\NetTrace2.etl
If you want to stop the packet capture early you can run:
C:\windows\system32\netsh.exe trace stop
Additional Resources
Other noteworthy resources on this (more:
https://social.technet.microsoft.com/Forums/ie/en-US/3d32508d-23d5-4db0-a213-ea44adc176a1/finding-the-source-of-repeated-ad-account-lockouts?forum=winserverDS
https://thesysadminchannel.com/get-account-lock-out-source-powershell/
interesting!