Scribd Logo
Upload

Welcome to Scribd!

  • 21 views

    SOC Analyst Series: @maikroservice

    Uploaded by

    Matturungan Rachman
    The document discusses different types of brute force attacks including password spraying, credential stuffing, and password brute forcing. It demonstrates how to set up and run a basic hydra password cracking tool against a target and see the login attempts in a SIEM. The document explains how the SIEM matches the login attempts to specific event IDs and MITRE ATT&CK techniques used to detect brute force activity.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    SOC Analyst Series: @maikroservice

    Uploaded by

    Matturungan Rachman
    21 views31 pages
    The document discusses different types of brute force attacks including password spraying, credential stuffing, and password brute forcing. It demonstrates how to set up and run a basic hydra password cracking tool against a target and see the login attempts in a SIEM. The document explains how the SIEM matches the login attempts to specific event IDs and MITRE ATT&CK techniques used to detect brute force activity.

    Original Description:

    Original Title

    1705339573685

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses different types of brute force attacks including password spraying, credential stuffing, and password brute forcing. It demonstrates how to set up and run a basic hydra password cracking tool against a target and see the login attempts in a SIEM. The document explains how the SIEM matches the login attempts to specific event IDs and MITRE ATT&CK techniques used to detect brute force activity.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    21 views31 pages

    SOC Analyst Series: @maikroservice

    Uploaded by

    Matturungan Rachman
    The document discusses different types of brute force attacks including password spraying, credential stuffing, and password brute forcing. It demonstrates how to set up and run a basic hydra password cracking tool against a target and see the login attempts in a SIEM. The document explains how the SIEM matches the login attempts to specific event IDs and MITRE ATT&CK techniques used to detect brute force activity.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 31

    @maikroservice

    SOC
    ANALYST
    SERIES PASSWORDS

    https://academy.maikroservice.com
    @maikroservice

    What happens when


    hackers test many
    different username /
    password combinations?

    that’s a brute-force
    attack
    https://academy.maikroservice.com
    Wait, but there are also
    different kinds of brute-
    force attacks, no?

    https://academy.maikroservice.com
    YES!

    Brute Force

    Password Credential
    Spraying Stuffing

    https://academy.maikroservice.com
    cool, but um... what’s the
    difference?!

    glad you asked!


    let’s look into password
    spraying first

    Password
    Spraying

    https://academy.maikroservice.com
    Password
    Spraying

    ONE (or very few) passwords


    tested AGAINST MANY
    accounts (on one/few
    Machines) BOB

    TOM

    Winter2024! JIM

    https://academy.maikroservice.com
    Credential
    Stuffing

    DISCOVERED/KNOWN
    credentials against MANY
    machines

    JIM:Winter2024!

    https://academy.maikroservice.com
    ok cool but what exactly
    is Brute-Force then?

    Password Brute-Force

    Perl

    Username Brute-Force
    https://academy.maikroservice.com
    great, but umm... can we
    detect that somehow?

    https://academy.maikroservice.com
    Sure! let’s run the attack
    first - setup:

    on any linux vm

    $ sudo apt-get install hydra

    https://academy.maikroservice.com
    then type hydra

    output should look like


    this ⬆️
    https://academy.maikroservice.com
    software ✅
    wordlist ❌
    now we download a
    common wordlist

    https://raw.githubusercontent.com/
    danielmiessler/SecLists/master/Pass
    words/Common-Credentials/10-
    million-password-list-top-100.txt
    link in comments

    https://academy.maikroservice.com
    What’s a wordlist?

    AHA! a wordlist holds the


    passwords / usernames /
    things to try during the brute-
    force attack

    https://academy.maikroservice.com
    ok cool,
    software ✅
    wordlist ✅
    now, run the attack! 😈
    $ hydra -l administrator -P 10-
    million-password-list-top-100.txt
    <computer_ip_here> smb

    https://academy.maikroservice.com
    Where can I see this in my
    SIEM?!

    SIEM MAGIC!

    open
    wazuh!

    https://academy.maikroservice.com
    https://academy.maikroservice.com
    Great ! We can see the
    attempts, but how does
    that work?
    https://academy.maikroservice.com
    GREAT
    Question!
    Here we see the triggered
    Rules

    60122
    &
    60204

    https://academy.maikroservice.com
    nice, but umm.. what do I
    do with those numbers?!

    go to
    https://github.com/wazuh/wazuh

    search for the first ID: 60122

    https://academy.maikroservice.com
    click on the result

    and look at the rule 60122

    https://academy.maikroservice.com
    focus on the <field name=”...

    This looks for Windows Event


    IDs 529 or 4625

    Great, but what are those?!

    https://academy.maikroservice.com
    if you don’t know look at this
    beautiful list:

    https://www.ultimatewindowssecurity.com/
    securitylog/encyclopedia/default.aspx

    💡 make sure to click on “Windows Audit” on


    the left, select “All categories” top right,
    and “All Events” bottom right

    https://academy.maikroservice.com
    then find/search for 529 and
    4625

    AHA! those are failed login attempt


    Events

    but...

    why two of them?!

    https://academy.maikroservice.com
    you are so SMART!

    The difference is that 529 is the


    Event for Windows Operating
    Systems before 2008 and 4625
    for those that came after 2008

    https://academy.maikroservice.com
    What is that though?

    Those are MITRE ATT&CK


    Framework IDs

    They describe Techniques used


    by attackers during their
    campaigns

    https://academy.maikroservice.com
    MITRE ATT&CK Techniques

    T1078 - valid accounts

    T1531 - Account Access


    Removal

    more info:
    https://attack.mitre.org/techniques/

    https://academy.maikroservice.com
    WINNER

    Well done!
    You ran & detected a brute-
    force attack with your own
    SIEM!

    https://academy.maikroservice.com
    to continue the journey:

    30 Day SOC Analyst


    Training
    start your SOC career now:
    https://maikroservice.com/soc-30

    your
    career

    https://academy.maikroservice.com
    for more content just like this

    for your continued


    support!

    @maikroservice

    You might also like