Detecting Spraykatz: A Potential Credential Theft

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the use of SprayKatz, a tool designed to retrieve credentials on Windows machines and within large AD environments. Security professionals, penetration testers, and system administrators may use such tools for authorized testing and to identify vulnerabilities within their own systems.

By employing Spraykatz, adversaries can execute attacks such as:

• Credential Theft
• Privilege Escalation
• Lateral Movement
• Data Exfiltration

Data source:

Windows: User account, Command, Process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0006 - Credential Access

Techniques: T1003 OS Credential Dumping

Sub-techniques: T1003.001 - LSASS Memory, T1003.002 - Security Account Manager

Criteria:

Attackers might try to rename the executable to disguise it. However, many implementations retain some variation of the original filename "spraykatz". This provides a strong initial indicator.

Spraykatz uses the "spray_" prefix in its commands for password spraying activities where it tests credentials against multiple accounts.

Procdump is a legitimate Microsoft Sysinternals tool, but it's frequently abused by attackers and tools like Spraykatz. Spraykatz uses "Procdump" to extract process memory (specifically targeting the LSASS process where credentials are often stored).

The "-ma" argument in Procdump instructs it to create a full memory dump. Attackers use this to get the most comprehensive data from the LSASS process for credential extraction.

When to enable this rule:

Enable this rule when you want to detect unauthorized access attempts to laterally move within the network by identifying the presence of SprayKatz tool. This rule can be helpful for investigations into malicious insider threats or external attackers attempting to gain domain dominance.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Unusual processes or command-line arguments that match known Spraykatz or Mimikatz patterns. This includes unexpected invocation of credential dumping tools or utilities often leveraged by such tools.
• Irregular Access to Credential Stores (DE.CM-1): Unauthorized access attempts or modifications to areas of the system where credentials are stored, such as the Security Accounts Manager (SAM) database, or creation of memory dumps from the Local Security Authority Subsystem Service (LSASS) process.
• Unusual Network Traffic Patterns (DE.AE-1): Detection of network traffic to uncommon ports or endpoints, which may indicate data exfiltration attempts characteristic of the post-exploitation phase following the use of Spraykatz.
• Security Log Anomalies (DE.CM-7): Alerts or log entries showing clear signs of tampering, deletion, or suspicious activities closely associated with credential theft operations, including the use of privilege escalation techniques and attempts to access secure system areas.

CIS:

• Control 8: Malware Defense: Ensure mechanisms are in place to detect and prevent the execution of malicious code at multiple points in the enterprise, with a focus on detecting tools like Spraykatz.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Collect, manage, and analyze audit logs to detect anomalies in system behavior, unauthorized access attempts, and other indicators of compromise.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.