RP0006: Successfull OWA Password Spraying attack
Summary
| ID | RP0006 |
|---|---|
| Brief Description | Response playbook for successfull OWA Password Spraying attack |
| Author | @TRC_COMMUNITY |
| Creation Date | 2019/01/31 |
| Modification Date | 2019/01/31 |
| Usecases |
Description
Response playbook for successfull OWA Password Spraying attack
Workflow
- Execute Response Actions step by step. Some of them directly connected, which means you will not be able to move forward not finishing the previous step. Some of them are redundant, as those that are related to the blocking a threat using network filtering systems (containment stage)
- Start executing containment and eradication stages concurrently with next identification steps, as soon as you will receive information about malicious hosts
- If phishing led to code execution or remote access to victim host, immediately start executing Generic Post Exploitation Incident Response Playbook
- Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time
Playbook Actions
Preparation
Practice
Take Trainings
Make Personnel Report Suspicious Activity
Raise Personnel Awareness
Identification
Put Compromised Accounts On Monitoring
Containment
Lock User Account
Powershell disable AD user
Eradication
Revoke Authentication Credentials
Recovery
Unlock Locked User Account
Powershell enable AD user
Lessons Learned
Develop Incident Report
Conduct Lessons Learned Exercise