{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credential-stuffing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","brute-force","credential-stuffing","authentication"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on detecting abnormal increases in failed authentication attempts within Azure Active Directory (Azure AD). An adversary attempting to gain unauthorized access to user accounts or systems often performs brute-force or credential stuffing attacks. These attacks result in a higher-than-normal number of failed sign-in attempts. Monitoring and detecting such increases can provide early warning of potential breaches or compromised accounts. Defenders should investigate any significant spikes in failed authentications as they might indicate malicious activity targeting user accounts or application access. The detection is based on analysis of Azure AD sign-in logs to identify when the number of failed sign-ins increases by 10% or greater, warranting further investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker attempts to gain initial access through various methods, such as phishing, compromised credentials, or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Stuffing/Brute-Force:\u003c/strong\u003e The attacker uses lists of known usernames and passwords (credential stuffing) or systematically tries different password combinations (brute-force) against Azure AD accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Attempts:\u003c/strong\u003e Each failed authentication attempt is logged within Azure AD sign-in logs, recording details such as username, IP address, and failure reason.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThreshold Exceeded:\u003c/strong\u003e The number of failed sign-in attempts reaches a threshold, triggering the detection rule based on a 10% or greater increase.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Lockout (Potential):\u003c/strong\u003e Multiple failed authentication attempts may lead to account lockouts, disrupting legitimate user access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication (Potential):\u003c/strong\u003e If the attacker guesses the correct credentials, they gain unauthorized access to the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e After gaining access, the attacker attempts to escalate privileges or move laterally within the network to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data or causes disruption to services depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful brute-force or credential stuffing attack can lead to unauthorized access to user accounts, data breaches, and service disruptions. Depending on the compromised account\u0026rsquo;s privileges, the attacker may gain access to sensitive information, escalate privileges, or move laterally within the organization\u0026rsquo;s network. The impact could range from minor data leaks to significant financial losses and reputational damage. Early detection and mitigation are crucial to minimize the impact of such attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect increases in failed Azure AD sign-in attempts and tune the threshold (10%) based on your environment (\u003ccode\u003eCount: \u0026quot;\u0026lt;10%\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule to determine the source and scope of the increased failed authentications.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users to mitigate the risk of credential-based attacks.\u003c/li\u003e\n\u003cli\u003eImplement account lockout policies to prevent attackers from repeatedly attempting to guess passwords.\u003c/li\u003e\n\u003cli\u003eMonitor sign-in logs for unusual patterns, such as sign-ins from unfamiliar locations or devices, to identify potential compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-02-azure-ad-failed-auth-increase/","summary":"Detects a significant increase (10% or greater) in failed Azure AD sign-in attempts, potentially indicating brute-force attacks, credential stuffing, or other unauthorized access attempts.","title":"Azure AD Failed Authentication Increase","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-ad-failed-auth-increase/"}],"language":"en","title":"CraftedSignal Threat Feed — Credential-Stuffing","version":"https://jsonfeed.org/version/1.1"}