‘Brute force’ vs ‘password spray’ attack in Azure Sentinel

The purpose of this blog is to explain the difference between ‘brute force’ and ‘password spray’ attacks with real world data and visualization via the Azure Sentinel Logs (e.g. Hunting) and Workbooks feature.

Brute force attack

A brute password attack is using multiple passwords (automated via a password file for example) to attack one user account.

This attack is easily detected by security systems and the account is locked out for example (Azure AD Smart Lockout is a feature to protect the user against this type of attack).

Password spray attack

A password spray attack is using one (often used) password to attack multiple users.

This attack method is not easily detected by security systems.

Azure Sentinel

Azure Sentinel can be used to detect and visualize both types of attacks. The required Data Connector is Azure Active Directory (which requires at least on Azure AD Premium P1 license) SigninLogs.

Logs

The Logs section provides easy access to the KQL to query the data in the log analytics workspace (which can be later used in Incident- or Hunting rules). The Table which we will use is SigninLogs and the column for the alerts is ResultType.

Brute Force Attack

The query to use must only show the ResultType(s) from > one IP-address & > one Country. The result is the query below (set the time range to 7 or 30 days for example).

// brute force attack
SigninLogs|
| where ResultType == “50126” or ResultType == “50053”
| project Identity, Location, IPAddress
| summarize IPs = dcount(IPAddress), Locations = make_set(Location) by Identity
| where IPs > 1 and Locations[1] != “”
| sort by IPs desc

The output of the query is shown below (names are anonymized)

As you can see, user ‘anonymous’ is attacked from different IP-addresses (258) from different countries. Unless user ‘anonymous’ is doing a ‘world trip’, this can be an example of brute password attack, different IP-addresses and countries are used to hide detection.

Password Spray attack

The query to use must only show the ResultType(s) from > 1 User(s). The result is the query below (set the time range to 7 or 30 days for example).

// password spray attack
SigninLogs
| where ResultType == “50053” or ResultType == “50126”
| project Identity, Location, IPAddress
| summarize USERs = make_set(Identity) by Location, IPAddress
| where USERs[1] != “”

The output of the query is shown below (names are anonymized)

The output shows an IP-address (219.93.121.22, which is Malaysia, see https://www.abuseipdb.com/check/219.93.121.22) attacking multiple users within the organization, this can be an example of a password spray attack.

Workbooks

Workbooks can be user to provide an overview of the attacks visible on a world map (for example the Asia might be more malicious then Europe for a Dutch organization). We can use the information (query and map settings) below to get a visual world map of the password attack(s) on the Office 365 (Azure AD) Tenant.

Query

SigninLogs
| where ResultType == “50126” or ResultType == “50053”

Map Settings

The result is the world map below with attack origin by Country.

If you got any question about Azure Sentinel or Microsoft Security in general (Microsoft 365 E5 for example) please contact me or the InSpark Cybersecurity department.

Chief Technology Officer @ Nedscaper