Pwd Policy Discovery

Date: 2021-08-26 ID: f42c4b90-4c31-4b96-9b9f-25e9faebfd15 Author: Teoderick Contreras Environment: attack_range Directory: pwd_policy_discovery

Description

Simulated test Attack range dataset for AD Domain Policy Enumeration

ID	Technique	Tactic
T1201	Password Policy Discovery	Discovery

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational

Path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Windows Password Policy Discovery with Net	`Hunting`	Endpoint	T1201	Active Directory Discovery
Get ADUserResultantPasswordPolicy with Powershell	`TTP`	Endpoint	T1201	Active Directory Discovery, CISA AA23-347A
Get ADDefaultDomainPasswordPolicy with Powershell	`Hunting`	Endpoint	T1201	Active Directory Discovery
Get DomainPolicy with Powershell	`TTP`	Endpoint	T1201	Active Directory Discovery
Get ADDefaultDomainPasswordPolicy with Powershell Script Block	`Hunting`	Endpoint	T1201	Active Directory Discovery

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0