Professional Documents
Culture Documents
SOC Analyst Series: @maikroservice
SOC Analyst Series: @maikroservice
SOC Analyst Series: @maikroservice
SOC
ANALYST
SERIES PASSWORDS
https://academy.maikroservice.com
@maikroservice
that’s a brute-force
attack
https://academy.maikroservice.com
Wait, but there are also
different kinds of brute-
force attacks, no?
https://academy.maikroservice.com
YES!
Brute Force
Password Credential
Spraying Stuffing
https://academy.maikroservice.com
cool, but um... what’s the
difference?!
Password
Spraying
https://academy.maikroservice.com
Password
Spraying
TOM
Winter2024! JIM
https://academy.maikroservice.com
Credential
Stuffing
DISCOVERED/KNOWN
credentials against MANY
machines
JIM:Winter2024!
https://academy.maikroservice.com
ok cool but what exactly
is Brute-Force then?
Password Brute-Force
Perl
Username Brute-Force
https://academy.maikroservice.com
great, but umm... can we
detect that somehow?
https://academy.maikroservice.com
Sure! let’s run the attack
first - setup:
on any linux vm
https://academy.maikroservice.com
then type hydra
https://raw.githubusercontent.com/
danielmiessler/SecLists/master/Pass
words/Common-Credentials/10-
million-password-list-top-100.txt
link in comments
https://academy.maikroservice.com
What’s a wordlist?
https://academy.maikroservice.com
ok cool,
software ✅
wordlist ✅
now, run the attack! 😈
$ hydra -l administrator -P 10-
million-password-list-top-100.txt
<computer_ip_here> smb
https://academy.maikroservice.com
Where can I see this in my
SIEM?!
SIEM MAGIC!
open
wazuh!
https://academy.maikroservice.com
https://academy.maikroservice.com
Great ! We can see the
attempts, but how does
that work?
https://academy.maikroservice.com
GREAT
Question!
Here we see the triggered
Rules
60122
&
60204
https://academy.maikroservice.com
nice, but umm.. what do I
do with those numbers?!
go to
https://github.com/wazuh/wazuh
https://academy.maikroservice.com
click on the result
https://academy.maikroservice.com
focus on the <field name=”...
https://academy.maikroservice.com
if you don’t know look at this
beautiful list:
https://www.ultimatewindowssecurity.com/
securitylog/encyclopedia/default.aspx
https://academy.maikroservice.com
then find/search for 529 and
4625
but...
https://academy.maikroservice.com
you are so SMART!
https://academy.maikroservice.com
What is that though?
https://academy.maikroservice.com
MITRE ATT&CK Techniques
more info:
https://attack.mitre.org/techniques/
https://academy.maikroservice.com
WINNER
Well done!
You ran & detected a brute-
force attack with your own
SIEM!
https://academy.maikroservice.com
to continue the journey:
your
career
https://academy.maikroservice.com
for more content just like this
@maikroservice