Credential-Stuffing — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/credential-stuffing/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 02 Jan 2024 15:00:00 +0000Azure AD Failed Authentication Increasehttps://feed.craftedsignal.io/briefs/2024-01-02-azure-ad-failed-auth-increase/Tue, 02 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-azure-ad-failed-auth-increase/Detects a significant increase (10% or greater) in failed Azure AD sign-in attempts, potentially indicating brute-force attacks, credential stuffing, or other unauthorized access attempts.This brief focuses on detecting abnormal increases in failed authentication attempts within Azure Active Directory (Azure AD). An adversary attempting to gain unauthorized access to user accounts or systems often performs brute-force or credential stuffing attacks. These attacks result in a higher-than-normal number of failed sign-in attempts. Monitoring and detecting such increases can provide early warning of potential breaches or compromised accounts. Defenders should investigate any significant spikes in failed authentications as they might indicate malicious activity targeting user accounts or application access. The detection is based on analysis of Azure AD sign-in logs to identify when the number of failed sign-ins increases by 10% or greater, warranting further investigation.

Attack Chain

  1. Initial Access: The attacker attempts to gain initial access through various methods, such as phishing, compromised credentials, or exploiting vulnerabilities.
  2. Credential Stuffing/Brute-Force: The attacker uses lists of known usernames and passwords (credential stuffing) or systematically tries different password combinations (brute-force) against Azure AD accounts.
  3. Authentication Attempts: Each failed authentication attempt is logged within Azure AD sign-in logs, recording details such as username, IP address, and failure reason.
  4. Threshold Exceeded: The number of failed sign-in attempts reaches a threshold, triggering the detection rule based on a 10% or greater increase.
  5. Account Lockout (Potential): Multiple failed authentication attempts may lead to account lockouts, disrupting legitimate user access.
  6. Successful Authentication (Potential): If the attacker guesses the correct credentials, they gain unauthorized access to the target account.
  7. Privilege Escalation/Lateral Movement: After gaining access, the attacker attempts to escalate privileges or move laterally within the network to access sensitive data or systems.
  8. Data Exfiltration/Impact: The attacker exfiltrates sensitive data or causes disruption to services depending on their objectives.

Impact

A successful brute-force or credential stuffing attack can lead to unauthorized access to user accounts, data breaches, and service disruptions. Depending on the compromised account’s privileges, the attacker may gain access to sensitive information, escalate privileges, or move laterally within the organization’s network. The impact could range from minor data leaks to significant financial losses and reputational damage. Early detection and mitigation are crucial to minimize the impact of such attacks.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect increases in failed Azure AD sign-in attempts and tune the threshold (10%) based on your environment (Count: "<10%").
  • Investigate alerts generated by the Sigma rule to determine the source and scope of the increased failed authentications.
  • Enforce multi-factor authentication (MFA) for all users to mitigate the risk of credential-based attacks.
  • Implement account lockout policies to prevent attackers from repeatedly attempting to guess passwords.
  • Monitor sign-in logs for unusual patterns, such as sign-ins from unfamiliar locations or devices, to identify potential compromised accounts.
]]>mediumadvisoryazureadbrute-forcecredential-stuffingauthentication