Windows Local Administrator Credential Stuffing

The simulation starts by the reconnaissance where the attacker lists the local user accounts and identifies privileged groups especially the local Administrators group. After reconnaissance, the attacker conducts quick authentication with common passwords or leaked credentials or password spray of identified administrator accounts. After counterfeiting successful authentication, the attacker becomes an administrator and sets backdoor administrator accounts of known credentials so that he can continue to have access to the compromised system. The attack ends with attempts at lateral motion, in which the attacker employs such tools as PsExec to carry out tasks on other systems remotely with the help of the recently created or compromised credentials.

Objective: • Identify fast authentication and credential stuffing signatures on local administrator accounts • Detect the creation of unauthorized accounts and privilege escalation by local administrator groups updates • Confirm lateral movement with the help of legitimate administrative programs such as PsExec • SIEM correlation logic Test Multi-phase attack chains (reconnaissance to post-exploitation)

Use Case: • Inside security audits, compliance checks against credential based attack vectors. • Purple teaming to replicate credential stuffing and privilege escalation concepts in the real world. • Increased detection when it comes to SIEM or EDR solutions in terms of authentication anomalies and account abuse. • Credential compromise playbook validation and incident response training. • Checking password policies, account lock out policies and privileged account management checks.

Tactics & Techniques: Tactic: Discovery (MITRE ATT&CK: TA0007) Technique: Account Discovery: Local Account - [T1087.001] Technique: Permission Groups Discovery: Local Groups - [T1069.001] Tactic: Credential Access (MITRE ATT&CK: TA0006) Technique: Brute Force: Credential Stuffing - [T1110.004] Technique: Persistence / Privilege Escalation (MITRE ATT&CK: TA0003 / TA0004) Technique: Develop Account: Local Account - [T1136.001] Technique: Valid Accounts: Local Accounts - [T1078.003] Strategy: Lateral Movement (MITRE ATT&CK: TA0008) Technique: Remote Services: SMB/Windows Admin Shares - [T1021.002] Tactic: Execution (TA0002) Technique: System Services: Service Execution - [T1569.002]

Impact: This situation creates authentication logs, account change logs, and lateral movement logs without damaging or stealing data through the system. Nonetheless, it resembles the actual actions of attackers that can put systems at risk and reveal confidential resources.

Detection Tips: • Patterns The security teams are to monitor the indicators of credential stuffing and privilege escalation processes. Key indicators include: • Event ID 4625 - Numerous unsuccessful logon attempts by the same source within brief periods (5 or more in 2 minutes). • Event ID 4624 - Successful logon just after several authentication failures by the same source IP or hostname. • Event ID 4720 -Creation of new local user account-newer local accounts should be created only when necessary and during business hours. • Event ID 4732- User was added to security-enforced local group, especially, Administrators group. • Event 4672 Special privileges have been assigned to a new logon, which means that it has administrative access. • Event ID 5140/5145 Network share accessed, particularly administrative shares (C,ADMIN, IPC$).