LoFP / legitimate use of dsacls to bind to an ldap session

Techniques

• t1218

Sample rules

Potential Password Spraying Attempt Using Dsacls.EXE

• source: sigma
• technicques:
  • t1218

Description

Detects possible password spraying attempts using Dsacls

Detection logic

condition: all of selection*
selection_cli:
  CommandLine|contains|all:
  - '/user:'
  - '/passwd:'
selection_img:
- Image|endswith: \dsacls.exe
- OriginalFileName: DSACLS.EXE