Detectionmediumtest

Potential Password Spraying Attempt Using Dsacls.EXE

Detects possible password spraying attempts using Dsacls

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon Jun 20Updated Sat Feb 04bac9fb54-2da7-44e9-988f-11e9a5edbc0cwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\dsacls.exe'
        - OriginalFileName: "DSACLS.EXE"
    selection_cli:
        CommandLine|contains|all:
            - '/user:'
            - '/passwd:'
    condition: all of selection*

False Positives

Legitimate use of dsacls to bind to an LDAP session

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Rule Metadata

Rule ID

bac9fb54-2da7-44e9-988f-11e9a5edbc0c

Status

test

Level

medium

Type

Detection

Created

Mon Jun 20

Modified

Sat Feb 04

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub