← Back to Explore
sigmalowHunting
Suspicious Connection to Remote Account
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Detection Query
selection:
ScriptBlockText|contains:
- System.DirectoryServices.Protocols.LdapDirectoryIdentifier
- System.Net.NetworkCredential
- System.DirectoryServices.Protocols.LdapConnection
condition: selection
Author
frack113
Created
2021-12-27
Data Sources
windowsps_script
Platforms
windows
Tags
attack.credential-accessattack.t1110.001
Raw Content
title: Suspicious Connection to Remote Account
id: 1883444f-084b-419b-ac62-e0d0c5b3693f
status: test
description: |
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
author: frack113
date: 2021-12-27
tags:
- attack.credential-access
- attack.t1110.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
- 'System.Net.NetworkCredential'
- 'System.DirectoryServices.Protocols.LdapConnection'
condition: selection
falsepositives:
- Unknown
level: low