diff --git a/data/en/response_actions/RA_2004_find_compromised_host/RA_2004_find_compromised_host.yml b/data/en/response_actions/RA_2004_find_compromised_host/RA_2004_find_compromised_host.yml
index ef11f54d..5fbdb7a3 100644
--- a/data/en/response_actions/RA_2004_find_compromised_host/RA_2004_find_compromised_host.yml
+++ b/data/en/response_actions/RA_2004_find_compromised_host/RA_2004_find_compromised_host.yml
@@ -1,8 +1,8 @@
-title: RA_2005_make_a_volatile_memory_capture
-id: RA2005
-description: Make a volatile memory capture
+title: RA_2004_find_compromised_host
+id: RA2004
+description: Find compromised host
author: '@ERMACK_COMMUNITY'
creation_date: 2023/03/13
stage: identification
extended_description: |
- Make a volatile memory capture
+ Find host with suspicious activity. Check it on logs or on network traffic
diff --git a/data/en/response_actions/RA_6006_update_password_policy/RA_6006_update_password_policy.yml b/data/en/response_actions/RA_6006_update_password_policy/RA_6006_update_password_policy.yml
new file mode 100644
index 00000000..852d319b
--- /dev/null
+++ b/data/en/response_actions/RA_6006_update_password_policy/RA_6006_update_password_policy.yml
@@ -0,0 +1,8 @@
+title: RA_6006_update_password_policy
+id: RA6006
+description: Update password policy
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/23
+stage: lessons_learned
+extended_description: |
+ Update password policy
diff --git a/data/en/response_playbooks/RP_0012_kerberos_password_spraying/Event4768.png b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/Event4768.png
new file mode 100644
index 00000000..b1eee79e
Binary files /dev/null and b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/Event4768.png differ
diff --git a/data/en/response_playbooks/RP_0012_kerberos_password_spraying/RP0012.png b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/RP0012.png
new file mode 100644
index 00000000..58d15e0d
Binary files /dev/null and b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/RP0012.png differ
diff --git a/data/en/response_playbooks/RP_0012_kerberos_password_spraying/RP_0012_kerberos_password_spraying.yml b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/RP_0012_kerberos_password_spraying.yml
new file mode 100644
index 00000000..6f7e8ff6
--- /dev/null
+++ b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/RP_0012_kerberos_password_spraying.yml
@@ -0,0 +1,73 @@
+title: Kerberos password spraying
+description: Response playbook for "Kerberos password spraying" attack
+id: RP0012
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/22
+modification_date: 2023/07/23
+linked_artifacts:
+ - A1001
+ - A1007
+ - A1008
+tags:
+ - status.stable
+ - severity.high
+ - tlp.amber
+ - pap.white
+ - kerberos
+preparation:
+ - RP_1001_operational_preparations
+ - RA_1102_access_internal_network_flow_logs
+ - RA_1109_access_internal_packet_capture_data
+ - RA_1112_get_ability_to_block_internal_ip_address
+ - RA_1120_get_ability_to_block_user_internal_communication
+identification:
+ - RA_2004_find_compromised_host
+ - RA_2601_list_users_authenticated
+ - RA_2604_find_compromised_user
+ - RA_2003_put_compromised_accounts_on_monitoring
+containment:
+ - RP_0008_windows_host_compromise
+ - RP_0009_compromised_active_directory_account
+#eradication:
+#recovery:
+lessons_learned:
+ - RA_6001_develop_incident_report
+ - RA_6002_conduct_lessons_learned_exercise
+ - RA_6006_update_password_policy
+
+extended_description: |
+ A password spray attack is quite simple, and if successful, has serious consequences, because attackers obtain the credentials of one or more users, which widens their attack surface
+workflow: |
+ 
+
+ To successfully respond to a password spray attack, network logs of access to the domain controller are needed.
+ With the help of these logs, we will find the IP address from which the attack was carried out and the list of users whose credentials were picked up.
+
+ Signs that a password spray attack is being carried out from this IP address:
+
+ 1. A large number of failed authentication requests with different usernames
+ 2. Authentication requests with usernames for which this IP address is not typical
+
+ The picture below shows a lot of authentication requests (AS_REQ Kerberos message) to the domain controller (192.168.10.1) from the IP address 192.168.10.10
+
+ 
+
+ The above traffic dump also shows that one of the users got a password. This is evidenced by the AS_REP response of the domain controller.
+ In the response, you can find the username whose credentials were obtained by the attackers. The picture below shows the response of the domain controller, which contains the username
+
+ 
+
+ After successful authentication on the domain controller, an <[event with ID 4768]>(A_1008) will be generated, which will also contain the username and IP address.
+
+ 
+
+ After we have found the names of the compromised users and the IP address from which this attack was carried out, proceed to [Compromised active directory account response playbook](/response_playbooks/RP_0009_compromised_active_directory_account/entity) and [Windows host compromise response playbook](/response_playbooks/RP_0008_windows_host_compromise/entity)
+
+ On lessons learned stage need to check that users do not have commonly used passwords and update the password policy.
+
+ ## Response discovery mapping
+
+ | ARTIFACT | RESPONSE ACTION | RESPONSE ACTION OBSERVABLES |
+ | :---------------------------| :---------------------------| :---------------------------|
+ | [Domain account](/artifacts/A_1001_windows_domain_account/entity/) | [Find compromised user](#identification)
*Find the username for which the domain controller returned AS_REP and for which <[event ID 4768]>(A_1008) was generated* | Name or names of the users whose credentials were obtained by the attackers |
+ | [IP Address](/artifacts/A_1007_ip_address/entity/) | [Find compromised host](#identification)
*Find an IP address with a lot of failed authentications or authentication requests with atypical usernames for this address* | IP address from which the attack was carried out |
\ No newline at end of file
diff --git a/data/en/response_playbooks/RP_0012_kerberos_password_spraying/as_rep.png b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/as_rep.png
new file mode 100644
index 00000000..01993ace
Binary files /dev/null and b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/as_rep.png differ
diff --git a/data/en/response_playbooks/RP_0012_kerberos_password_spraying/traffic_spray.png b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/traffic_spray.png
new file mode 100644
index 00000000..e46f1c4b
Binary files /dev/null and b/data/en/response_playbooks/RP_0012_kerberos_password_spraying/traffic_spray.png differ
diff --git a/data/en/usecases/UC_0008_kerberos_password_spraying/Event4768.png b/data/en/usecases/UC_0008_kerberos_password_spraying/Event4768.png
new file mode 100644
index 00000000..b1eee79e
Binary files /dev/null and b/data/en/usecases/UC_0008_kerberos_password_spraying/Event4768.png differ
diff --git a/data/en/usecases/UC_0008_kerberos_password_spraying/UC_0008_kerberos_password_spraying.yml b/data/en/usecases/UC_0008_kerberos_password_spraying/UC_0008_kerberos_password_spraying.yml
new file mode 100644
index 00000000..98a841dd
--- /dev/null
+++ b/data/en/usecases/UC_0008_kerberos_password_spraying/UC_0008_kerberos_password_spraying.yml
@@ -0,0 +1,77 @@
+title: 'Successfull Kerberos password spraying'
+id: UC0008
+author: '@ERMACK_COMMUNITY'
+creation_date: 2023/07/21
+modification_date: 2023/07/21
+severity: H
+tags:
+ - attack.credential_access
+ - attack.t1110.003
+ - kerberos
+linked_response_playbooks:
+ - RP0012
+linked_artifacts:
+ - A1001
+ - A1010
+ - A1008
+ - A1009
+ - A5008
+description: Attackers can carry out a password spray attack to obtain valid credentials
+extended_description: |
+ Attackers may use single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.
+ Logins are attempted with that passwords list against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
+
+ ## Attack mapping
+ | ARTIFACT | OBJECT | DESCRIPTION |
+ | :--------| :------| :-----------|
+ | **Attack Prerequisites** |
+ | <[Active Directory Account]>(A_1001) | Domain users names | List of valid domain users names |
+ | <[Authentication Service]>(A_1010) | Authentication service on domain controller | Network availability to authentication service on domain controller |
+ | **Side Observables** |
+ | <[Log]>(A_1008) | Windows security log | Windows security log with EventID 4768 - A Kerberos authentication ticket (TGT) was requested |
+ | <[Kerberos network traffic]>(A_1009) | Kerberos protocol messages | Kerberos protocol messages which generated during the attack |
+
+ The list of valid usernames is included in the prerequisites, but many utilities (as will be shown) can determine whether a given user exists in the domain and display an appropriate message about it.
+ Accordingly, in the general case, the list of valid users is not a prerequisite for this attack.
+ However, the list of valid usernames is specified in the prerequisites, since getting this list is a [separate attack](/usecases/UC_0002_as_req_domain_user_enumerate/entity).
+
+ ## Attack result
+ The result of this attack is the credentials of one or more users
+
+ | RESOURCE | DESCRIPTION |
+ | :--------| :-----------|
+ | **Attack Prerequisites** |
+ | <[Active Directory Account]>(A_1001) | List of valid domain users names |
+ | <[Authentication Service]>(A_1010) | Network availability to authentication service on domain controller |
+ | **Result Consequences** |
+ | <[Password]>(A_5008) | Valid password of one or more users |
+
+ ## Attack progress
+
+ Attackers sequentially send authentication requests with a given password to different users. Depending on the response of the authentication service, a conclusion is made about the correctness of the password.
+ If successful, the authentication service will return AS_REP kerberos message.
+
+
+ After successful authentication on the domain controller, event 4768 will be generated.
+
+
+ Below are the tools that can be used to carry out this attack
+
+ ### Rubeus
+
+ ```
+ Rubeus brute /password: /users:
+ ```
+ 
+
+ ### Kerbrute
+
+ ```
+ kerbrute_linux_amd64 passwordspray -d
+ ```
+ 
+
+ ## References
+ 1.
+ 2.
+ 3.
\ No newline at end of file
diff --git a/data/en/usecases/UC_0008_kerberos_password_spraying/kerbrute_spray.png b/data/en/usecases/UC_0008_kerberos_password_spraying/kerbrute_spray.png
new file mode 100644
index 00000000..d031a003
Binary files /dev/null and b/data/en/usecases/UC_0008_kerberos_password_spraying/kerbrute_spray.png differ
diff --git a/data/en/usecases/UC_0008_kerberos_password_spraying/rubeus_brute.png b/data/en/usecases/UC_0008_kerberos_password_spraying/rubeus_brute.png
new file mode 100644
index 00000000..a410587c
Binary files /dev/null and b/data/en/usecases/UC_0008_kerberos_password_spraying/rubeus_brute.png differ
diff --git a/data/en/usecases/UC_0008_kerberos_password_spraying/traffic_spray.png b/data/en/usecases/UC_0008_kerberos_password_spraying/traffic_spray.png
new file mode 100644
index 00000000..e46f1c4b
Binary files /dev/null and b/data/en/usecases/UC_0008_kerberos_password_spraying/traffic_spray.png differ