Password Spray with Kerbrute
I have been playing with Kerberos authentication detection rules in our SIEM.
I wanted an alert to be triggered in the event of brute force attacks and password sprays on our AD accounts and I wanted to be able to tune and test these alerts by simulating these types of attacks.
A pen tester recommended I use a tool called Kerbrute to simulate this attacker behaviour.
https://github.com/ropnop/kerbrute
It can do the following:
- enumerate valid usernames via kerberos - userenum
- run password sprays against a list of usernames
- try a list of passwords against a single user - brute user
- run username password combos - bruteforce
I had trouble downloading the tool at first as it was triggering various alerts across different systems flagging the exe as a hack tool. That was a good test.
After adding the correct exclusions, I did the following.
Document org lockout thresholds.
Inform users of what you are doing and when you are doing it.
User enumeration:
.\kerbrute.exe userenum —dc <dc ip> -d <domain> usernames.txt
Does not cause any account lockouts.
Generates windows event 4768.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4768
Password Spray:
Take the valid user names from user enumeration and run this against it.
.\kerbrute passwordspray --verbose --safe --dc <dc ip> -d <domain> usernames.txt "Password123"
NOTE: This will increment the failure count on those accounts so if you run it too quickly within your orgs lockout threshold you could lockout accounts.
Generates windows event id 4768 and 4771
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771
The SIEM rules are looking for a certain number events with Windows Event ID 4768 and/or 4771 within a very short amount of time for a certain number of users simulating an attacker.
I experimented with these thresholds, tuning until I was satisfied with the level of noise and potential attacker numbers before turning the alerts on.
