{"id":3589,"date":"2021-08-05T00:23:30","date_gmt":"2021-08-04T22:23:30","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=3589"},"modified":"2023-08-12T23:47:19","modified_gmt":"2023-08-12T21:47:19","slug":"protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/protecting-against-password-spray-attacks-with-azure-sentinel-and-azure-ad\/","title":{"rendered":"Protecting against password spray attacks with Azure Sentinel and Azure AD"},"content":{"rendered":"
A Password Spraying Attack is\u00a0a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to another one and repeating the process. In this blog the explanation of detection and protection against password spray attacks.\u00a0<\/strong><\/p>\n Three steps are needed for running a password spray attack:<\/p>\n Step 1<\/strong>: It all starts with a list of accounts and e-mails. With all the cloud-based toolings and leaks not too hard to complete in some hours. Most organizations have a formal convention for the e-mail address, for example: firstname.lastname@companyname.com.\u00a0<\/strong>Based on social media channels and for example LinkedIn easy to generate account names. And of course, there is a lot of data available from hacks which are containing e-mail information.<\/p>\n Step 2<\/strong>: Spray the passwords is the next step. Not too hard to find some passwords on the public web. From the internet each year there are multiple lists<\/a> available with the top-used password. 123456, password and qwerty is still one of the most used passwords. ( always good to not using this type of password or use password-less.) Of course hackers will use the dark web for more password information. With a Password spray attack hackers will deploy often-used passwords to multiple users during some time behind each sign-in ( to give the insights based on a normal sign-in)<\/p>\n Step 3<\/strong>: The goal is to complete the access with one of the passwords for one of the accounts. For attackers one successful password+username is enough to complete most of the time internal reconnaissance on the target network and go deeper into the systems via elevation pf privilege.<\/p>\n Important is the way of protection against password spray attacks. In this blog the explanation of the following protection features:<\/p>\n It is quite simple to create an input.txt file with the usernames from any public leak or social site.\u00a0 When you known the format you can easily fill in most of the e-mails. Multiple Python scripts are available for validating email accounts against AzureAD. With the result only Office365 accounts.<\/p>\n Now use one of the Password Spray PowerShell scripts or any other toolings to run a Password Spray attack. In case of no matching password:<\/p>\n Bingo! Password matching<\/p>\n When you have access without MFA. Quite easy to view the other AzureAD information with some AzureAD framework tools.<\/p>\n Most common events for Password spraying:<\/p>\nThree steps are needed for a successful password spray attack<\/h3>\n
\n
\nRun the password spray<\/h2>\n
<\/p>\n
<\/p>\n