Added kerberos password spraying usecase and response playbook

data/en/response_actions/RA_2004_find_compromised_host/RA_2004_find_compromised_host.yml

@@ -1,8 +1,8 @@
-title: RA_2005_make_a_volatile_memory_capture
-id: RA2005
-description: Make a volatile memory capture
+title: RA_2004_find_compromised_host
+id: RA2004
+description: Find compromised host
 author: '@ERMACK_COMMUNITY'
 creation_date: 2023/03/13
 stage: identification
 extended_description: |
-  Make a volatile memory capture
+  Find host with suspicious activity. Check it on logs or on network traffic

data/en/response_actions/RA_6006_update_password_policy/RA_6006_update_password_policy.yml

@@ -0,0 +1,8 @@
+title: RA_6006_update_password_policy
+id: RA6006
+description: Update password policy
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/23
+stage: lessons_learned
+extended_description: |
+  Update password policy

data/en/response_playbooks/RP_0012_kerberos_password_spraying/RP_0012_kerberos_password_spraying.yml

@@ -0,0 +1,73 @@
+title: Kerberos password spraying
+description: Response playbook for "Kerberos password spraying" attack
+id: RP0012
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/22
+modification_date: 2023/07/23
+linked_artifacts:
+  - A1001
+  - A1007
+  - A1008
+tags:
+  - status.stable
+  - severity.high
+  - tlp.amber
+  - pap.white
+  - kerberos
+preparation:
+  - RP_1001_operational_preparations
+  - RA_1102_access_internal_network_flow_logs
+  - RA_1109_access_internal_packet_capture_data
+  - RA_1112_get_ability_to_block_internal_ip_address
+  - RA_1120_get_ability_to_block_user_internal_communication
+identification:
+  - RA_2004_find_compromised_host
+  - RA_2601_list_users_authenticated
+  - RA_2604_find_compromised_user
+  - RA_2003_put_compromised_accounts_on_monitoring
+containment:
+  - RP_0008_windows_host_compromise
+  - RP_0009_compromised_active_directory_account
+#eradication:
+#recovery:
+lessons_learned:
+  - RA_6001_develop_incident_report
+  - RA_6002_conduct_lessons_learned_exercise
+  - RA_6006_update_password_policy
+
+extended_description: |
+  A password spray attack is quite simple, and if successful, has serious consequences, because attackers obtain the credentials of one or more users, which widens their attack surface
+workflow: |
+  <img src="../RP0012.png" alt="workflow" />
+
+  To successfully respond to a password spray attack, network logs of access to the domain controller are needed. 
+  With the help of these logs, we will find the IP address from which the attack was carried out and the list of users whose credentials were picked up.
+
+  Signs that a password spray attack is being carried out from this IP address:
+
+  1. A large number of failed authentication requests with different usernames
+  2. Authentication requests with usernames for which this IP address is not typical
+
+  The picture below shows a lot of authentication requests (AS_REQ Kerberos message) to the domain controller (192.168.10.1) from the IP address 192.168.10.10
+
+  <img src="../traffic_spray.png" alt="Traffic" />
+
+  The above traffic dump also shows that one of the users got a password. This is evidenced by the AS_REP response of the domain controller. 
+  In the response, you can find the username whose credentials were obtained by the attackers. The picture below shows the response of the domain controller, which contains the username
+
+  <img src="../as_rep.png" alt="AS_REP" />
+
+  After successful authentication on the domain controller, an <[event with ID 4768]>(A_1008) will be generated, which will also contain the username and IP address.
+
+  <img src="../Event4768.png" alt="Event" />
+
+  After we have found the names of the compromised users and the IP address from which this attack was carried out, proceed to [Compromised active directory account response playbook](/response_playbooks/RP_0009_compromised_active_directory_account/entity) and [Windows host compromise response playbook](/response_playbooks/RP_0008_windows_host_compromise/entity) 
+
+  On lessons learned stage need to check that users do not have commonly used passwords and update the password policy.
+
+  ## Response discovery mapping
+
+  | ARTIFACT  | RESPONSE ACTION    | RESPONSE ACTION OBSERVABLES  |
+  | :---------------------------| :---------------------------| :---------------------------|
+  | [Domain account](/artifacts/A_1001_windows_domain_account/entity/) | [Find compromised user](#identification) <br> *Find the username for which the domain controller returned AS_REP and for which <[event ID 4768]>(A_1008) was generated* | Name or names of the users whose credentials were obtained by the attackers |
+  | [IP Address](/artifacts/A_1007_ip_address/entity/) | [Find compromised host](#identification) <br> *Find an IP address with a lot of failed authentications or authentication requests with atypical usernames for this address* | IP address from which the attack was carried out |

data/en/usecases/UC_0008_kerberos_password_spraying/UC_0008_kerberos_password_spraying.yml

@@ -0,0 +1,77 @@
+title: 'Successfull Kerberos password spraying'
+id: UC0008
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/21
+modification_date: 2023/07/21
+severity: H
+tags:
+  - attack.credential_access
+  - attack.t1110.003
+  - kerberos
+linked_response_playbooks:
+  - RP0012
+linked_artifacts:
+  - A1001
+  - A1010
+  - A1008
+  - A1009
+  - A5008
+description: Attackers can carry out a password spray attack to obtain valid credentials
+extended_description: |
+  Attackers may use single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. 
+  Logins are attempted with that passwords list against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
+
+  ## Attack mapping 
+  | ARTIFACT | OBJECT | DESCRIPTION |
+  | :--------| :------| :-----------|
+  | **Attack Prerequisites**        |
+  | <[Active Directory Account]>(A_1001) | Domain users names | List of valid domain users names |
+  | <[Authentication Service]>(A_1010) | Authentication service on domain controller | Network availability to authentication service on domain controller |
+  | **Side Observables**            |
+  | <[Log]>(A_1008) | Windows security log | Windows security log with EventID 4768 - A Kerberos authentication ticket (TGT) was requested |
+  | <[Kerberos network traffic]>(A_1009)    | Kerberos protocol messages | Kerberos protocol messages which generated during the attack |
+
+  The list of valid usernames is included in the prerequisites, but many utilities (as will be shown) can determine whether a given user exists in the domain and display an appropriate message about it.
+  Accordingly, in the general case, the list of valid users is not a prerequisite for this attack.
+  However, the list of valid usernames is specified in the prerequisites, since getting this list is a [separate attack](/usecases/UC_0002_as_req_domain_user_enumerate/entity).
+
+  ## Attack result
+  The result of this attack is the credentials of one or more users
+
+  | RESOURCE | DESCRIPTION | 
+  | :--------| :-----------|
+  | **Attack Prerequisites** |
+  | <[Active Directory Account]>(A_1001) | List of valid domain users names  |
+  | <[Authentication Service]>(A_1010) | Network availability to authentication service on domain controller |
+  | **Result Consequences** |
+  | <[Password]>(A_5008) | Valid password of one or more users |
+
+  ## Attack progress
+
+  Attackers sequentially send authentication requests with a given password to different users. Depending on the response of the authentication service, a conclusion is made about the correctness of the password.
+  If successful, the authentication service will return AS_REP kerberos message.
+  <img src="../traffic_spray.png" alt="Traffic">
+
+  After successful authentication on the domain controller, event 4768 will be generated.
+  <img src="../Event4768.png" alt="Event">
+
+  Below are the tools that can be used to carry out this attack
+
+  ### Rubeus
+
+  ```
+  Rubeus brute /password:<password> /users:<users_list>
+  ```
+  <img src="../rubeus_brute.png" alt="Rubeus">
+
+  ### Kerbrute
+
+  ```
+  kerbrute_linux_amd64 passwordspray -d <domain> <users_list> <password>
+  ```
+  <img src="../kerbrute_spray.png" alt="Kerbrute">
+
+  ## References
+  1. <https://ardent101.github.io/posts/kerberos_general_attacks/>
+  2. <https://github.com/GhostPack/Rubeus>
+  3. <https://github.com/ropnop/kerbrute>