Home >
Enterprise >
Participants >
FireEye >
Brute Force: Password Spraying (T1110.003)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
4.A.3
|
|
APT29 |
||
The subtechnique was not in scope. |
APT3 |
||||||||
Step | ATT&CK Pattern |
|
||||||
16.A.1.1
|
|
|||||||
16.B.1.3
|
|
Procedure
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]


[5]


[6]


Procedure
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Footnotes
- The vendor indicated the un-redacted passwords could be observed in triage/acquistion data.


[2]


[3]


[4]


[5]


[6]


Procedure
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Footnotes
- A configuration change was made to allow for the capture of Windows Security Event ID 4625.


[2]


[3]


[4]


[5]


[6]

