Identity Attacks with Azure Sentinel
There are few terms for credential attacks, such as password attacks, identity attacks, dictionary attacks, etc. Identity attacks come in different styles with different nuances.
The most prevalent attacks are the Password Spray and Brute-force attack.
What are the differences between a brute-force attack and password spraying, and credential stuffing? This post will explain some of the highlights and differences between various authentication attack types and manage those attacks with Azure Sentinel.
TIP: Credential Attacks can be handled by Azure AD Identity Protection and Microsoft Cloud App Security.
Type of Attacks
Brute-Force is defined as “relying on or achieved through the application of force, effort, or power in usually large amounts instead of more efficient, carefully planned, or precisely directed methods.”
In this sense, brute-force authentication attacks can be considered an aggression that employs overwhelming force to determine valid credentials.
Typically, brute-force attacks will target a single account identifier (username, email address, etc.) with extensive lists of possible passwords, attempting each in succession until the correct password is determined, the account is locked out, the attack is mitigated, or the threat actor abandons her efforts.
First, you need to create a wordlist through manual or automated means. This base wordlist is managing with Hashcat.
The process of managed by creating variations of the words on the wordlist that include commonly used “complexity,” such as capitalizing the first letter, adding “!” to the end, or the current year “2020”.
There are lots of tools to perform identity attacks, including:
In short, a Brute-force attack is using multiple passwords to attack one user account. Security systems quickly detect this attack, and in many scenarios, the account is locked out. For example, mitigation can with Azure AD Smart Lockout to protect the user against this type of attack.
TIP: in many scenarios, brute-force attacks can come from different IP-addresses, and countries are used to hide detection.
Password Spray is a variation of an authentication attack. This form of authentication attack employs lists of usernames and then matches these with common and few passwords.
Password spray attack is generally less focused than brute-force attacks. The focus of a brute-force attack is usually an account or a handful of known accounts, which are subjected to large lists of possible passwords.
Password spraying flips this around a bit common, default, and passwords are used against an extensive list of possible accounts. So, where the many-to-one ratio in brute-force attacks is many passwords to one username, it’s many usernames to one password in password spraying.
That is a conceptually different way of performing authentication attacks as the “known variable” is the password, not the account name. Where in a brute-force attack, the known variable is the username. Real-world password spraying attacks will incorporate lists of common, default, or known passwords.
In short, a password spray attack is using one password to attack multiple users. Security systems do not easily detect this attack method. For example, Microsoft Cloud App Security and Azure AD Identity Protection can identify this kind of attack.
Credential stuffing use hijacked account credentials and typically consisting of lists of usernames or email addresses. Corresponding passwords used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web or application.
Password reuse is still common and can compromise account credentials that are continually being bought and sold online by threat actors.
Usually, these compromised accounts will leverage to authenticate to additional services, applications, or systems.
Compromised credentials, known as “dumps,” are publicly available, and threat actors frequently use these dumps to attempt to compromise additional accounts belonging to the affected user.
Comparison table with differences between password spray, brute-force, and credential stuffing.
Now that you are familiar with the identity attacks, you can move on to the next steps and know the information that Azure AD, Azure Identity Protection, Microsoft Cloud App Security, and Azure Sentinel can detect and respond to identity attacks.
Azure AD Authentication Codes
Azure AD provides a bunch of error codes with a description for each error code. Some of the Azure AD Authentication and authorization error codes, such as AADSTS50126 or the error code 50126, can notify if someone is trying to authenticate with the wrong user name and password.
The error code of 50126 means that InvalidUserNameOrPassword – Error validating credentials due to invalid username or password.
Another critical error code is AADSTS50053 with error code 50053; someone tried to log in too often and locked out. The error code means IdsLocked – The account locked because the user tried to sign in too many times with an incorrect user ID or password.
Another optional error code is the error code of AADSTS50055, and someone trying to log in and password expired. The error code description is InvalidPasswordExpiredPassword – The password is expired.
|Message||Error validating credentials due to invalid username or password.|
|Remediation||The user didn’t enter the right credentials. They were expected to see some number of these errors in your logs due to users making mistakes.|
|Message||The account is locked; you’ve tried to sign in too many times with an incorrect user ID or password.|
|Remediation||The user was blocked due to repeated sign-in attempts. See https://docs.microsoft.com/azure/active-directory/identity-protection/howto-unblock-user|
Identify Password Attack with Azure Sentinel
Once you’re familiar with the Azure AD authentication codes, you can start to search and query for Identity attacks with Azure Sentinel,
The first attack is the Brute force attack with the following query that uses ResultType for Azure AD authentication code and the Project and Summarize to show the relevant Ip address and Location:
// Brute force result for IP address and Location
| where ResultType == “50126” or ResultType == “50053” or ResultType == “50055”
| project Identity, Location, IPAddress
| summarize IPs = dcount(IPAddress), Location = make_set(Location) by Identity
| sort by IPs desc
This example runs with a query to identify the attack with all error codes.
The second query running and provide the main results for the Brute force attack.
The second attack is the Password Spray Attack, and this attack run from one password against many users, and this scenario uses one IP address.
// Password Spray result with one password to many user
| where ResultType == “50053” or ResultType == “50126”
| project Identity, Location, IPAddress
| summarize USERs = make_set(Identity) by Location, IPAddress
The result will provide all the users and one IP address.
TIP: With the value where USERs != “” any value with more than 1 user is visible. To filter, you can also confiscate this value on, for example, where USERs != “” to only get results visible with 5+ users.
In conclusion, the Identity attack is always on the rise, and therefore you must identify the specific with error codes. The principal error codes are 50126 and 50053 for both brute-force and Password Spray.