Spray-AD: A Cobalt Strike tool to audit Active Directory user accounts

Spray-AD, a Cobalt Strike tool to perform a fast Kerberos password spraying attack against Active Directory.

This tool can help Red and Blue teams to audit Active Directory user accounts for weak, well-known, or easily guessable passwords and can help Blue teams to assess whether these events are properly logged and acted upon.

When this tool is executed, it generates event IDs 4771 (Kerberos pre-authentication failed) instead of 4625 (logon failure). This event is not audited by default on domain controllers and therefore this tool might help to evade detection while password spraying.

Download

git clone https://github.com/outflanknl/Spray-AD.git

Use

Download the Spray-AD folder and load the Spray-AD.cna script within the Cobalt Strike Script Manager.
Syntax within beacon context: Spray-AD [password to test]
This project is written in C/C++. You can use Visual Studio to compile the reflective DLL’s from the source.

Note to Red:

Make sure you always check the Active Directory password and lockout policies before spraying to avoid lockouts.

Note to Blue:

To detect Active Directory Password Spraying, make sure to set up centralized logging and alarming within your IT environment and enable (at least) the following Advanced Audit policy on your Domain Controllers:

Audit Kerberos Authentication Service (Success & Failure). This policy will generate Windows Security Log Event ID 4771 (Kerberos pre-authentication failed).

Author: Cornelis de Plaa (@Cneelis) / Outflank