{"id":3589,"date":"2021-08-05T00:23:30","date_gmt":"2021-08-04T22:23:30","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=3589"},"modified":"2023-08-12T23:47:19","modified_gmt":"2023-08-12T21:47:19","slug":"protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/","title":{"rendered":"Protecting against password spray attacks with Azure Sentinel and Azure AD"},"content":{"rendered":"<p><strong>A Password Spraying Attack is\u00a0a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to another one and repeating the process. In this blog the explanation of detection and protection against password spray attacks.\u00a0<\/strong><\/p>\n<p>Three steps are needed for running a password spray attack:<\/p>\n<h3 class=\"\">Three steps are needed for a successful password spray attack<\/h3>\n<p><strong>Step 1<\/strong>: It all starts with a list of accounts and e-mails. With all the cloud-based toolings and leaks not too hard to complete in some hours. Most organizations have a formal convention for the e-mail address, for example: <strong class=\"\">firstname.lastname@companyname.com.\u00a0<\/strong>Based on social media channels and for example LinkedIn easy to generate account names. And of course, there is a lot of data available from hacks which are containing e-mail information.<\/p>\n<p><strong>Step 2<\/strong>: Spray the passwords is the next step. Not too hard to find some passwords on the public web. From the internet each year there are <a href=\"https:\/\/en.wikipedia.org\/wiki\/Wikipedia:10,000_most_common_passwords\">multiple lists<\/a> available with the top-used password. 123456, password and qwerty is still one of the most used passwords. ( always good to not using this type of password or use password-less.) Of course hackers will use the dark web for more password information. With a Password spray attack hackers will deploy often-used passwords to multiple users during some time behind each sign-in ( to give the insights based on a normal sign-in)<\/p>\n<p><strong>Step 3<\/strong>: The goal is to complete the access with one of the passwords for one of the accounts. For attackers one successful password+username is enough to complete most of the time internal reconnaissance on the target network and go deeper into the systems via elevation pf privilege.<\/p>\n<p>Important is the way of protection against password spray attacks. In this blog the explanation of the following protection features:<\/p>\n<ul>\n<li>Azure AD Password Protection<\/li>\n<li>Azure AD Identity Protection<\/li>\n<li>Azure Sentinel insights<\/li>\n<\/ul>\n<hr \/>\n<h2>Run the password spray<\/h2>\n<p>It is quite simple to create an input.txt file with the usernames from any public leak or social site.\u00a0 When you known the format you can easily fill in most of the e-mails. Multiple Python scripts are available for validating email accounts against AzureAD. With the result only Office365 accounts.<\/p>\n<p>Now use one of the Password Spray PowerShell scripts or any other toolings to run a Password Spray attack. In case of no matching password:<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-3593\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-55-24.png\" alt=\"\" width=\"962\" height=\"134\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-55-24.png 962w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-55-24-300x42.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-55-24-768x107.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-55-24-585x81.png 585w\" sizes=\"(max-width: 962px) 100vw, 962px\" \/><\/p>\n<p>Bingo! Password matching<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-3592\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-52-47.png\" alt=\"\" width=\"962\" height=\"378\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-52-47.png 962w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-52-47-300x118.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-52-47-768x302.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_22-52-47-585x230.png 585w\" sizes=\"(max-width: 962px) 100vw, 962px\" \/><\/p>\n<p>When you have access without MFA. Quite easy to view the other AzureAD information with some AzureAD framework tools.<\/p>\n<p>Most common events for Password spraying:<\/p>\n<table>\n<tbody>\n<tr>\n<td>Error Code<\/td>\n<td>50126<\/td>\n<\/tr>\n<tr>\n<td>Message<\/td>\n<td>Error validating credentials due to invalid username or password.<\/td>\n<\/tr>\n<tr>\n<td>Remediation<\/td>\n<td>The user didn\u2019t enter the right credentials. \u00a0It\u2019s expected to see some number of these errors in your logs due to users making mistakes.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div><\/div>\n<div>\n<div>\n<table>\n<tbody>\n<tr>\n<td>Error Code<\/td>\n<td>50053<\/td>\n<\/tr>\n<tr>\n<td>Message<\/td>\n<td>The account is locked, you\u2019ve tried to sign in too many times with an incorrect user ID or password.<\/td>\n<\/tr>\n<tr>\n<td>Remediation<\/td>\n<td>The user is blocked due to repeated sign-in attempts. See https:\/\/docs.microsoft.com\/azure\/active-directory\/identity-protection\/howto-unblock-user<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<hr \/>\n<h2>Detection with Microsoft toolings<\/h2>\n<p>Now it is time for the detection. Of course prevention is always better. The next topic is all based on prevention with Microsoft toolings. In case to minimize the impact discovery is important. Multiple toolings are available. For example:<\/p>\n<ul>\n<li>AzureAD Identity Protection<\/li>\n<li>Azure Sentinel<\/li>\n<\/ul>\n<p>Important to track the following events: <strong>50126<\/strong> and 5<strong>0063<\/strong>.<\/p>\n<h3>Azure Sentinel<\/h3>\n<p>For Azure Sentinel connect the Azure Active Directory connector. Collect the Sign-in Logs\/ Audit Logs and other Sign-in logs. Always good to enable more events for analysis.<\/p>\n<p>For enabling the Azure Active Directory connector:<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-3595\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-12-29.png\" alt=\"\" width=\"696\" height=\"411\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-12-29.png 1609w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-12-29-300x177.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-12-29-1024x605.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-12-29-768x453.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-12-29-1536x907.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-12-29-585x345.png 585w\" sizes=\"(max-width: 696px) 100vw, 696px\" \/><\/p>\n<ul>\n<li>Go to<strong> Azure Sentinel<\/strong><\/li>\n<li>Click on <strong>Data connectors<\/strong><\/li>\n<li>Search for <strong>Azure Active Directory<\/strong><\/li>\n<li>Configure the <strong>log types<\/strong><\/li>\n<li>Make sure <strong>Audit Logs is enabled<\/strong><\/li>\n<\/ul>\n<p>Note: Azure P1 or P2 is needed for export Sign-in data.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3594\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-10-06.png\" alt=\"\" width=\"701\" height=\"260\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-10-06.png 1811w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-10-06-300x111.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-10-06-1024x379.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-10-06-768x285.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-10-06-1536x569.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-02_23-10-06-585x217.png 585w\" sizes=\"(max-width: 701px) 100vw, 701px\" \/><\/p>\n<h3>Azure Sentinel &#8211; KQL<\/h3>\n<p>Based on eventID 50053\/ 50126\u00a0 multiple ways are available for discovering password spray attacks. With the option <span style=\"text-decoration: underline;\">summarize by location<\/span> there is the option to summarize users based on the location and IP. All below are basic KQL query&#8217;s.<\/p>\n<p>For production environments extension of the query is possible with some watchlist items with all corporate IPs.<\/p>\n<p>Basic example:<\/p>\n<p style=\"padding-left: 40px;\">\/\/ password spray attack event 50126 50053<br \/>\nSigninLogs<br \/>\n| where ResultType == &#8220;50053&#8221; or ResultType == &#8220;50126&#8221;<br \/>\n| project Identity, Location, IPAddress<br \/>\n| summarize USERs = make_set(Identity) by Location, IPAddress<br \/>\n| where USERs[2] != &#8220;&#8221;&gt;<\/p>\n<p>With the item USERs[2] != &#8220;&#8221; you can specify the visible users. For example with [2] all results are based on 2+ users. With [10] all events are visible with more than 10+ users.<\/p>\n<p>Example below: From <strong>location JP<\/strong> with the IP <strong>45.14.71.20\u00a0<\/strong>the password spraying for the users is visible.<\/p>\n<div>Green:\u00a0 Sign-in location and IPAddress<\/div>\n<div>Red: Sign-in for users based on the IP and location.<\/div>\n<div><\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3597\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-02-04.png\" alt=\"\" width=\"2502\" height=\"746\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-02-04.png 2502w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-02-04-300x89.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-02-04-1024x305.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-02-04-768x229.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-02-04-1536x458.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-02-04-2048x611.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-02-04-585x174.png 585w\" sizes=\"(max-width: 2502px) 100vw, 2502px\" \/><\/div>\n<div><\/div>\n<div>With the above KQL-query whitelisting for internal locations ( VPN, Corporate networks e.d) is needed for specifying the results from the KQL and including the sign-in state successful for track completed sign-ins.<\/div>\n<div><\/div>\n<div>Another community example with some advanced details.\u00a0 <a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/SigninLogs\/SigninPasswordSpray.yaml\">Source<\/a><\/div>\n<div><\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3598\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-12-52.png\" alt=\"\" width=\"2100\" height=\"724\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-12-52.png 2100w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-12-52-300x103.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-12-52-1024x353.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-12-52-768x265.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-12-52-1536x530.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-12-52-2048x706.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-12-52-585x202.png 585w\" sizes=\"(max-width: 2100px) 100vw, 2100px\" \/><\/div>\n<div><\/div>\n<div>Useful in this example is the speciation of the start time\/ end time and detailed sign-in with recording for Success sign-in and failed sign-in.<\/div>\n<div><\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3600\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-13-23.png\" alt=\"\" width=\"2026\" height=\"298\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-13-23.png 2026w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-13-23-300x44.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-13-23-1024x151.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-13-23-768x113.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-13-23-1536x226.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-13-23-585x86.png 585w\" sizes=\"(max-width: 2026px) 100vw, 2026px\" \/><\/div>\n<div><\/div>\n<div>With the data available in Azure Sentinel multiple cases are available. Based on the data you can create Analytics rules or workbooks for showing the location sign-ins based on the location.<\/div>\n<div><\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3601\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-21-29.png\" alt=\"\" width=\"1506\" height=\"802\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-21-29.png 1506w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-21-29-300x160.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-21-29-1024x545.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-21-29-768x409.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-21-29-585x312.png 585w\" sizes=\"(max-width: 1506px) 100vw, 1506px\" \/><\/div>\n<div>With some more events collected. Each bullet shows the total count of sign-ins with more than 2 users included.<\/div>\n<h3><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3602\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-23-08.png\" alt=\"\" width=\"795\" height=\"363\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-23-08.png 1477w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-23-08-300x137.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-23-08-1024x467.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-23-08-768x350.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_22-23-08-585x267.png 585w\" sizes=\"(max-width: 795px) 100vw, 795px\" \/><\/h3>\n<hr \/>\n<h2>Azure AD Identity Protection<\/h2>\n<p>With <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/azure-active-directory-identity\/advancing-password-spray-attack-detection\/ba-p\/1276936\">machine learning logic<\/a> AzureAD Identity Protection have the option to detect Password spray attacks. For viewing the Identity Protection Brute force risk detections.<\/p>\n<ul>\n<li>Go to <strong>Azure AD<\/strong><\/li>\n<li>Open <strong>Identity Protection<\/strong><\/li>\n<li>Go to <strong>Report<\/strong> &#8211; <strong>Risk detections<\/strong><\/li>\n<li>Use the <strong>filter option<\/strong> for configuring the <strong>detection type<\/strong>. For the Password spraying events the detection type contains: <strong>Password spraying<\/strong><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3604\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-08-27.png\" alt=\"\" width=\"2010\" height=\"1015\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-08-27.png 2010w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-08-27-300x151.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-08-27-1024x517.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-08-27-768x388.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-08-27-1536x776.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-08-27-585x295.png 585w\" sizes=\"(max-width: 2010px) 100vw, 2010px\" \/><\/p>\n<p>The best way to train the system to learn a user&#8217;s properties is to use the risky sign-in policy with MFA. When a risky sign-ins is prompted for MFA and the user successfully responds to the request, the sign-in can succeed and help to train the system on the legitimate user&#8217;s behavior.<\/p>\n<p>The Password Spray detection is part of the <strong>Sign-in risk<\/strong> with the detection type: <strong>Offline<\/strong><\/p>\n<hr \/>\n<h2>Protection of the Azure AD environment<\/h2>\n<p>AzureAD protection is important. Multiple toolings are available for detection and protection against brute-force\/ password spraying.<\/p>\n<h3>Azure AD Password Protection<\/h3>\n<p>First <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/azure-active-directory-identity\/azure-ad-password-protection-is-now-generally-available\/ba-p\/377487\" target=\"_blank\" rel=\"noopener noreferrer\">Azure AD Password Protection<\/a> is important. With AzureAD Password Protection it is possible to protect users against easily guessed passwords and customize the lockout settings for the environment. Password Protection is available for cloud and on-prem resources.<\/p>\n<p><strong>Banned password list<\/strong><\/p>\n<p>For corporate environments, it is useful to protect multiple passwords by default which contain information that is easy to connect with the organization, such as:<\/p>\n<ul>\n<li>Company names<\/li>\n<li>Product names<\/li>\n<li>Locations<\/li>\n<li>Company terms<\/li>\n<li>Internal terms<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3607\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-19-10.png\" alt=\"\" width=\"609\" height=\"414\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-19-10.png 946w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-19-10-300x204.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-19-10-768x522.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-04_23-19-10-585x398.png 585w\" sizes=\"(max-width: 609px) 100vw, 609px\" \/><\/p>\n<p>Microsoft will add more combinations automatically in the list of combinations. Once terms are added to the custom banned password list, they will be combined with the global banned password list when validating new passwords. For example, if you add the password <strong>&#8220;ContosoCorp&#8221;<\/strong> the following combination will be blocked by the algorithm.<\/p>\n<ul>\n<li>ContosoCorp!1<\/li>\n<li>ContosoCorp@<\/li>\n<li>ContosoCorp!2<\/li>\n<li>1ContosoCorp<\/li>\n<li>&#8230;<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n<p>For configuring the banned password list. <em>Browse to Azure Active Directory &gt; Security &gt; Authentication methods &gt; Password protection.\u00a0<\/em><\/p>\n<h3><strong>Protect passwords &amp; identity<\/strong><\/h3>\n<p>The best and most effective way in combination with the other protection features is the reduction of passwords. For AzureAD multiple passwordless solutions are available. For example:<\/p>\n<ul>\n<li>Windows Hello<\/li>\n<li>FIDO2 Security keys<\/li>\n<li>Microsoft Authentication app\/ Phone sign-in<\/li>\n<\/ul>\n<p>Of course, start always with enabling Multi-Factor Authentication for all accounts and start with a good Conditional Access baseline for all accounts. Including Service accounts, admin accounts, and the break-glass account.<\/p>\n<p>Blogs for more information about Protection passwords &amp; Identity:<\/p>\n<ul>\n<li><a href=\"https:\/\/jeffreyappel.nl\/track-the-registration-and-usage-of-all-authentications-methods-with-azuread\/\">Track the registration and usage of all authentication methods<\/a><\/li>\n<li><a href=\"https:\/\/jeffreyappel.nl\/monitor-azure-ad-break-glass-accounts-with-azure-sentinel\/\">Monitor Azure AD break-glass accounts with Sentinel<\/a><\/li>\n<li><a href=\"https:\/\/jeffreyappel.nl\/go-fully-passwordless-with-the-new-azure-ad-temporary-access-pass-feature\/\">Go Fully passwordless with the new AzureAD TAP feature<\/a><\/li>\n<\/ul>\n<h3>Legacy authentication<\/h3>\n<p>Another important task is to block legacy authentication for all sign-ins. Legacy authentication is the most compromising sign-in.\u00a0 Microsoft is going to disable basic\/ legacy authentication. It is recommended to implement Legacy Authentication as soon as possible and switch users to the latest modern authentication protocol. MFA or Passwordless is not enough. Hackers can still brute force passwords using older protocols without any modern authentication.<\/p>\n<p>More about Legacy authentication in this blog: <a href=\"https:\/\/jeffreyappel.nl\/block-legacy-authentication-now-and-dont-wait-for-microsoft\/\">https:\/\/jeffreyappel.nl\/block-legacy-authentication-now-and-dont-wait-for-microsoft\/<\/a><\/p>\n<h3>Identity protection<\/h3>\n<p>Identity Protection is the tool for protecting AzureAD accounts. Microsoft uses a new machine learning technique in Identity Protection to detect password spraying.<\/p>\n<p>For protecting and insights it is highly recommended to enable Identity Protection. Read this blog for more information: <a href=\"https:\/\/jeffreyappel.nl\/azure-ad-identity-protection-user-risk-and-sign-in-risk-protection-with-automation\/\">https:\/\/jeffreyappel.nl\/azure-ad-identity-protection-user-risk-and-sign-in-risk-protection-with-automation\/<\/a><\/p>\n<hr \/>\n<h2>Conclusion<\/h2>\n<p>Insights against brute force are important. Some basic AzureAD protection features can give easy protection against password spraying. With Sentinel more insights are possible.<\/p>\n<p>And if you have no MFA enabled:\u00a0 enable it and configure some Conditional Access rules for block legacy authentication, service account only from the corporate location, Break-Glass accounts, and some compliance baselines. The basics are important. <img decoding=\"async\" class=\"emoji\" role=\"img\" draggable=\"false\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/13.0.1\/svg\/1f609.svg\" alt=\"\ud83d\ude09\" \/><\/p>\n<p>Next blog more information about Cloud App Security &amp; Defender for Identity for on-prem AD events.<\/p>\n<hr \/>\n<h2>Source<\/h2>\n<p>Medium\/ Derk van der Woude: <a href=\"https:\/\/derkvanderwoude.medium.com\/password-spray-from-attack-to-detection-and-prevention-87c48cede0c0\">Azure AD Password spray; from attack to detection (and prevention)<\/a><\/p>\n<p>Microsoft: <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-password-ban-bad\">Eliminate bad passwords using Azure Active Directory Password Protection<\/a><\/p>\n<p>Microsoft: <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/sentinel\/connect-azure-active-directory\">Connect Azure Active Directory (Azure AD) data to Azure Sentinel<\/a><\/p>\n<p>Microsoft: <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/04\/23\/protecting-organization-password-spray-attacks\/\">Protecting your organization against password spray attacks<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A Password Spraying Attack is\u00a0a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to another one and repeating the process. In this blog the explanation of detection and protection&#8230;<\/p>\n","protected":false},"author":1,"featured_media":3608,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[189],"tags":[223,208],"table_tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Protecting against password spray attacks with Azure Sentinel and Azure AD<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protecting against password spray attacks with Azure Sentinel and Azure AD\" \/>\n<meta property=\"og:description\" content=\"A Password Spraying Attack is\u00a0a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to another one and repeating the process. In this blog the explanation of detection and protection...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/\" \/>\n<meta property=\"og:site_name\" content=\"Jeffrey Appel - Microsoft Security blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-04T22:23:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-12T21:47:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-05_00-12-31.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1535\" \/>\n\t<meta property=\"og:image:height\" content=\"684\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jeffrey\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffrey\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/\",\"url\":\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/\",\"name\":\"Protecting against password spray attacks with Azure Sentinel and Azure AD\",\"isPartOf\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-05_00-12-31.png\",\"datePublished\":\"2021-08-04T22:23:30+00:00\",\"dateModified\":\"2023-08-12T21:47:19+00:00\",\"author\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\"},\"breadcrumb\":{\"@id\":\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#primaryimage\",\"url\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-05_00-12-31.png\",\"contentUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-05_00-12-31.png\",\"width\":1535,\"height\":684},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jeffreyappel.nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Protecting against password spray attacks with Azure Sentinel and Azure AD\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jeffreyappel.nl\/#website\",\"url\":\"https:\/\/jeffreyappel.nl\/\",\"name\":\"Jeffrey Appel - Microsoft Security blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jeffreyappel.nl\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\",\"name\":\"Jeffrey\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"caption\":\"Jeffrey\"},\"url\":\"https:\/\/jeffreyappel.nl\/author\/contact\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protecting against password spray attacks with Azure Sentinel and Azure AD","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/","og_locale":"en_US","og_type":"article","og_title":"Protecting against password spray attacks with Azure Sentinel and Azure AD","og_description":"A Password Spraying Attack is\u00a0a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to another one and repeating the process. In this blog the explanation of detection and protection...","og_url":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/","og_site_name":"Jeffrey Appel - Microsoft Security blog","article_published_time":"2021-08-04T22:23:30+00:00","article_modified_time":"2023-08-12T21:47:19+00:00","og_image":[{"width":1535,"height":684,"url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-05_00-12-31.png","type":"image\/png"}],"author":"Jeffrey","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jeffrey","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/","url":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/","name":"Protecting against password spray attacks with Azure Sentinel and Azure AD","isPartOf":{"@id":"https:\/\/jeffreyappel.nl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#primaryimage"},"image":{"@id":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#primaryimage"},"thumbnailUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-05_00-12-31.png","datePublished":"2021-08-04T22:23:30+00:00","dateModified":"2023-08-12T21:47:19+00:00","author":{"@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42"},"breadcrumb":{"@id":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#primaryimage","url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-05_00-12-31.png","contentUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/08\/2021-08-05_00-12-31.png","width":1535,"height":684},{"@type":"BreadcrumbList","@id":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jeffreyappel.nl\/"},{"@type":"ListItem","position":2,"name":"Protecting against password spray attacks with Azure Sentinel and Azure AD"}]},{"@type":"WebSite","@id":"https:\/\/jeffreyappel.nl\/#website","url":"https:\/\/jeffreyappel.nl\/","name":"Jeffrey Appel - Microsoft Security blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jeffreyappel.nl\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42","name":"Jeffrey","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","caption":"Jeffrey"},"url":"https:\/\/jeffreyappel.nl\/author\/contact\/"}]}},"amp_enabled":false,"_links":{"self":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/3589"}],"collection":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/comments?post=3589"}],"version-history":[{"count":2,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/3589\/revisions"}],"predecessor-version":[{"id":7430,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/3589\/revisions\/7430"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media\/3608"}],"wp:attachment":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media?parent=3589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/categories?post=3589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/tags?post=3589"},{"taxonomy":"table_tags","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/table_tags?post=3589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}