security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
3fc34b86f215319039ee46bed42d987d671a1101
sigma-rules/rta/brute_force_login.py
T
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00

56 lines
2.0 KiB
Python
Raw Blame History

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
# Name: Brute Force Login Attempts
# RTA: brute_force_login.py
# ATT&CK: T1110
# Description: Simulates brute force or password spraying tactics.
# Remote audit failures must be enabled to trigger: `auditpol /set /subcategory:"Logon" /failure:enable`
import random
import string
import sys
import time
from . import common
@common.requires_os(common.WINDOWS)
def main(username="rta-tester", remote_host=None):
if not remote_host:
common.log('A remote host is required to detonate this RTA', '!')
return common.MISSING_REMOTE_HOST
common.enable_logon_auditing(remote_host)
common.log('Brute forcing login with invalid password against {}'.format(remote_host))
ps_command = '''
$PW = ConvertTo-SecureString "such-secure-passW0RD!" -AsPlainText -Force
$CREDS = New-Object System.Management.Automation.PsCredential {username}, $PW
Invoke-WmiMethod -ComputerName {host} -Class Win32_process -Name create -ArgumentList ipconfig -Credential $CREDS
'''
command = ['powershell', '-c', ps_command.format(username=username, host=remote_host)]
# fail 4 times - the first 3 concurrently and wait for the final to complete
for i in range(4):
common.execute(command, wait=i == 3)
time.sleep(1)
common.log('Password spraying against {}'.format(remote_host))
# fail 5 times - the first 4 concurrently and wait for the final to complete
for i in range(5):
random_user = ''.join(random.sample(string.ascii_letters, 10))
command = ['powershell', '-c', ps_command.format(username=random_user, host=remote_host)]
common.execute(command, wait=i == 4)
# allow time for audit event to process
time.sleep(2)
if __name__ == "__main__":
exit(main(*sys.argv[1:]))
Reference in New Issue View Git Blame Copy Permalink