Nov 26, 2023 5 min read

Detecting Password Sprays in Windows AD: Fake User Account with Multiple Passwords (part 1)

Detecting Password Sprays in Windows AD: Fake User Account with Multiple Passwords (part 1)

This page is essentially a copy of my question post from - Windows AD - Fake User Account with Multiple Passwords to Detect Password Spray - Information Security Stack Exchange

Password sprays are a prevalent form of password attack often likened to a "wide nozzle" attack. Password cracking entails the pursuit of uncovering a password from a provided hash or similar artifacts. Whereas, password spraying is categorized as a guessing attack, alongside credential stuffing. The latter involves trying breached or discovered credentials on various systems or services, typically relying on a combination of a username/email and password. Credential stuffing is the reason one shouldn't use the same email & password combos on more than one online service.

Password spraying adopts a slow and methodical approach. This strategic pace is a trademark of Advanced Persistent Threats (APTs), wherein the execution can span months or even years, targeting numerous accounts with varied sets of credentials. The credentials are supposed to easy to guess or in the most general sense statistically likely for the targets being attacked. This also means that doing "mangling" or other forms of wordlist generation or permutation for guessing could work. However, with password sprays this is usually not viable because it's more stealthy when the guesses are slow and not anomalous to potential detection systems.

Password Spraying | BeyondTrust

One effective way to detect this sort of activity is the purposely make decoy/fake/deceptive user accounts that have easy-to-guess credentials. These accounts are tripwires for attackers that are already in the network/active directory. It's important to note that these decoy accounts shouldn't have actual permissions, but merely appear to when scanned with tools such as BloodHound. This type of defense is commonly known as cyber deception. I have lots to be posting about with cyber deception in the future 😃🕵️.

My goal is to figure out if it's possible to configure a decoy user account that can allow for more than one password for login. By doing so, I could cover larger lists of common or breached passwords without needing to create more accounts which would make the deception more noticeable. Based on some other resources I found, this definitely doesn't seem to be possible out of the box, but maybe there is a third party option for identity providers that could make it possible. In my mind, I was thinking of a boolean logic statement like "pw1 OR pw2 OR pw3." Ultimately, I just want to know if this could ever be a possibility or if I would need to rely on creating more decoy accounts with an optimized list of passwords for them to use.

Below is the question I posted. I will follow up with the answer and probably document more of my work on this subject in the next month for detecting password sprays with.


TL;DR

I'm trying to implement a fake user account that has multiple sets of credentials that can be used. Instead of a specific password, any one password from a list of them could be used to authenticate to the account. By doing so, we can cover breached, common, or easily guessed passwords, and make it more likely that an attacker is detected through these fake user account "tripwires." This would be useful for detecting password sprays in the domain.

FYI

I'm not super experienced with Windows AD and how identities are defined with various Windows authentication methods. I'm also not intimately familiar with system administration, Azure, IAM, or devops.

Background

I set up a Windows AD domain from within Azure using the ARM template from DefensiveOrigins/DO-LAB. The goal was to do some "purple teaming" by setting up a fake tripwire user account with an easy password, do a fake password spray over the domain, then implement detections using KQL in Microsoft Sentinel.

The original lab comes from here (not public though) - AppliedPurpleTeaming/APT-9S22: APT-9S22

In practice, this lab must be able to use the "DomainPasswordSpray" tool (dafthack/DomainPasswordSpray) along with recon such as with BloodHound (BloodHoundAD/BloodHound).

Why a Fake User Account with Multiple Creds?

I wanted to add a twist to the fake user accounts. What if the attacker were to hit a legitimate account that has an easy password like "easypassword1" before it hits my fake account that's using "easypassword2." This would mean that my fake user account never gets tripped. To avoid this I thought I could try to programmatically allow for multiple passwords to get into an account without needing to create more accounts as this would make the deception more noticeable. If possible, I can plug in a list of common passwords and almost always get a hit on that account and cover a large distribution of passwords used with attacks. As a result, that one account would effectively cover password spray detections for the whole domain with little effort.

The step with Fake User Generation can be found at - APT-9S22/APT/1-Labs/L0040-Deception - AppliedPurpleTeaming/APT-9S22

ChatGPT tried to say that Credential Manager could do this, but I'm calling a hallucination on that.

Other Mentions

Lots of people saying it's not possible or not looking at it from other perspectives.

Approaches & Related Problems

These are all approaches that could maybe work for implementing this multi-credential fake user account (even if only logical and not literal).

Multiple entities on one account

There are lots of cases where you may have multiple entities or people accessing one privileged account.

There's a Microsoft article related to this for Entra ID (Sharing accounts and credentials | Microsoft Learn).

I can think of 2 ways this can be done:

  1. Multiple sets of credentials that can be activated or deactivated for that one account
  2. You could manage those credentials in some system like a password manager and disallow access when necessary, which would also then require the password to be reset

I'm unaware of nuanced ways accounts can be used in Windows AD. Maybe there's a type of logical account in Windows AD that can be a sort of account proxy to the main account.

External/Third-Party Identity Provider (Proxy for Authentication)

Maybe there's a way to implement some sort of external identity provider that could use conditional logic with forms of identification (what you know, what you are, what you have.) For example, a password could be attempted in Windows AD, then that password is sent to the 3rd party, then the identity provider would check through its list of password (PW1 OR PW2...) and return true. Is this a thing? Is it possible?

Notes for my project

grad-school-projects/Honey Accounts in Windows AD at main · cybersader/grad-school-projects

I'll be back

I'm going to figure out if this is possible in Windows AD and then from the perspective of the DefensiveOrigins/DO-LAB environment.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Cybersader.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.