Identifying Password Spray Attacks Using Azure Sentinel

Password spraying is a technique of brute force attack. In this attack, attackers use a list of usernames and default passwords to brute force logins to accounts. For example, to avoid account lockouts that would ordinarily be triggered during an effort to brute force a single account with various passwords, an adversary will use one password (welcome123) against multiple user accounts on a particular application.

There are three steps involved in the brute force attack.

Step 1: A reconnaissance operation is required to identify a list of email addresses linked to the targeted organization. The discovered email addresses need to be exported into a file, ideally a text file.

Step 2 : Initiate the password spraying process. There are different tools available on Github. I have used the tool written by 0xZDH for this assessment.

Step 3 : Log into the appropriate account using the credentials discovered.

Password spray execution process

It is simple to launch a spray attack against the targeted domain using a file that contains a list of usernames. There are many scripts that may be used for this purpose that are readily available on Github.

-c COUNT — Number of password attempts to run per user before resetting the lockout account timer. Default: 1

-l LOCKOUT — Lockout policy’s reset time (in minutes). Default: 15 minutes

Azure AD Authentication Codes

The authentication codes are a huge help when analyzing these attacks.

The error code 50126 specifies that the correct credentials were not entered by the user. The description of this error code says Error Validating credentials due to invalid username or password.

The error code 50053 specifies that the account has been blocked due to multiple failed attempts. The description of this error code says the the account is locked, user has tried to sign in too many times with an incorrect password.

Detect password spray attack using Azure Sentinel

The aforementioned Azure AD authentication codes can be used to construct the Azure Sentinel query required to look for the breach.

All of the users, location and IP addresses involved in the attack will be listed in the results below.

Note : The script that was run at the start of the chapter did not produce what is shown below. The prior illustration simply served to demonstrate how to conduct a password spray attack.

SigninLogs

| where ResultType == “50126” or ResultType == “50053”

| summarize USERs = make_set(Identity) by Location, IPAddress

| where USERs[10] != “”;

Note : The value USERs[5] != “” you can specify the visible users. For example with [5] all results are based on 5+ users. With [10] all events are visible with more than 10+ users.

In conclusion, because password spray attacks are increasing, it is critical to implement defense mechanisms to safeguard the environment.