TA0006 · ATT&CK Tactic
Credential Access
Steal valid credentials to escalate access. Run the attack on the left — see exactly what the defender sees on the right, including alert JSON and live tool links.
T1110.003
Password Spraying
Spray a single password across many accounts to avoid lockout thresholds. Industry standard: rockyou.txt because it's derived from real breached passwords — common corporate passwords appear in the top 10,000 entries.
Attack Simulation
Step 1 / 3
# Step 1: Select wordlist for spray
Industry standard for corporate environments?
Wrong — that list is too small or too obvious. Lockout thresholds will catch you. Use rockyou.txt.
SIEM Alert — High
Foyl SIEM · ALT-2024-8847
HIGH
"rule": "Multiple Failed Logon — Spray Pattern", "event_id": 4625, "source_ip": "185.220.101.42", "accounts_targeted": 29, "timespan_minutes": 3, "single_password": true, "threshold_exceeded": true, "target_hit": "priya.khatri", "credential_compromised": true
T1558.003
Kerberoasting
Request Kerberos service tickets for accounts with SPNs, extract RC4 hashes, crack offline. No elevated privileges needed — any domain user can request service tickets. Service accounts often have weak passwords and never expire.
Attack Simulation
Ready
# Enumerate SPNs and request service tickets
attacker@kali:~/impacket$
$
SIEM Alert — Medium
Foyl SIEM · ALT-2024-9102
MEDIUM
"rule": "Kerberos TGS Request — RC4 Downgrade", "event_id": 4769, "ticket_encryption": "RC4-HMAC (0x17)", "requested_by": "svc_backup", "source_ip": "185.220.101.42", "spns_enumerated": 3, "rc4_downgrade_detected": true, "note": "Modern clients use AES — RC4 is a roastable indicator"