OpenCTI または OpenAEV プラットフォームを 30 日間お試しいただけます。 無料トライアル
XTM Hub by Filigranサインイン

Windows Local Administrator Credential Stuffing

Endpoint Security Validation
Detection Rule Validation
Purple Team As A Service

概要

This simulation checks for local administrator credentials using BruteForce attack, it also simulates a backdoor local account with admin privileges and performing remote code exection using psexec

The simulation starts by the reconnaissance where the attacker lists the local user accounts and identifies privileged groups especially the local Administrators group. After reconnaissance, the attacker conducts quick authentication with common passwords or leaked credentials or password spray of identified administrator accounts. After counterfeiting successful authentication, the attacker becomes an administrator and sets backdoor administrator accounts of known credentials so that he can continue to have access to the compromised system. The attack ends with attempts at lateral motion, in which the attacker employs such tools as PsExec to carry out tasks on other systems remotely with the help of the recently created or compromised credentials.

Objective: • Identify fast authentication and credential stuffing signatures on local administrator accounts • Detect the creation of unauthorized accounts and privilege escalation by local administrator groups updates • Confirm lateral movement with the help of legitimate administrative programs such as PsExec • SIEM correlation logic Test Multi-phase attack chains (reconnaissance to post-exploitation)

Use Case: • Inside security audits, compliance checks against credential based attack vectors. • Purple teaming to replicate credential stuffing and privilege escalation concepts in the real world. • Increased detection when it comes to SIEM or EDR solutions in terms of authentication anomalies and account abuse. • Credential compromise playbook validation and incident response training. • Checking password policies, account lock out policies and privileged account management checks.

Tactics & Techniques: Tactic: Discovery (MITRE ATT&CK: TA0007) Technique: Account Discovery: Local Account - [T1087.001] Technique: Permission Groups Discovery: Local Groups - [T1069.001] Tactic: Credential Access (MITRE ATT&CK: TA0006) Technique: Brute Force: Credential Stuffing - [T1110.004] Technique: Persistence / Privilege Escalation (MITRE ATT&CK: TA0003 / TA0004) Technique: Develop Account: Local Account - [T1136.001] Technique: Valid Accounts: Local Accounts - [T1078.003] Strategy: Lateral Movement (MITRE ATT&CK: TA0008) Technique: Remote Services: SMB/Windows Admin Shares - [T1021.002] Tactic: Execution (TA0002) Technique: System Services: Service Execution - [T1569.002]

Impact: This situation creates authentication logs, account change logs, and lateral movement logs without damaging or stealing data through the system. Nonetheless, it resembles the actual actions of attackers that can put systems at risk and reveal confidential resources.

Detection Tips: • Patterns The security teams are to monitor the indicators of credential stuffing and privilege escalation processes. Key indicators include: • Event ID 4625 - Numerous unsuccessful logon attempts by the same source within brief periods (5 or more in 2 minutes). • Event ID 4624 - Successful logon just after several authentication failures by the same source IP or hostname. • Event ID 4720 -Creation of new local user account-newer local accounts should be created only when necessary and during business hours. • Event ID 4732- User was added to security-enforced local group, especially, Administrators group. • Event 4672 Special privileges have been assigned to a new logon, which means that it has administrative access. • Event ID 5140/5145 Network share accessed, particularly administrative shares (C,ADMIN, IPC$).

基本情報

Filigran
Sairam Jetty
2026年7月01日
2.0.14
90+
8

    当社は、XTM Hubの機能を動作させ、その利用状況を把握し、ユーザー体験を向上させるためにクッキーを使用しています。必須のクッキーは常に有効になっています。また、ユーザーの同意を得た上で、機能、パフォーマンス、分析、およびマーケティングを目的としたオプションのクッキーも使用しています。 すべてのクッキーを受け入れる、すべてを拒否する、または許可するオプションのクッキーを選択することができます。「クッキー設定」から、いつでも設定を変更できます。詳細については、当社のクッキーポリシーをご覧ください。