T1110.003 Password Spraying

This control specifically provides detection of Password Spray attacks for Azure Active Directory accounts. Microsoft documentation states that this detection is based on a machine learning algorithm that has been improved with the latest improvement yielding a 100 percent increase in recall and 98 percent precision. The temporal factor for this detection is Partial as its detection is described as offline (i.e. detections may not show up in reporting for two to twenty-four hours).

Response Type: Eradication Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in (such as Password Spray attack) manually and also supports automation via its user and sign-in risk policies.

This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".

This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.

This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.

The "Summary of user logons by logon type" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".

This control's "Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives. Similarly, its "Suspected Brute Force attack (LDAP) (external ID 2004)" alert can detect brute force attacks using LDAP simple binds. The "Suspected Brute Force attack (SMB) (external ID 2033)" alert is also relevant but the details are sparse.

MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.

This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.

This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.

This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.

Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.

This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts".

This control's "Require MFA for administrative roles" and "Ensure all users can complete multi-factor authentication for secure access" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. This control's "Do not expire passwords" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. This control's "Enable policy to block legacy authentication" and "Stop legacy protocols communication" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. This control's "Resolve unsecure account attributes" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial.

This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.

This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.