AZT202 - Password Spraying

An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.

Resource

Azure Active Directory

Actions

N/A

Examples

Az PowerShell (Secret)Azure CLI

Connect-AzAccount

az login -u <username> -p <password>

Detections

Logs

Data Source	Application	Resource	Log Location
Azure Active Directory	Azure Portal	Windows Azure Service Management API	Sign-in Logs
Azure Active Directory	Microsoft Azure PowerShell	Windows Azure Service Management API	Sign-in Logs

Detection Screenshots

Detection Notes

The main difference between a successful and unsuccessful login is the 'Status' field, which will designate a "Success" or "Failure".

Additional Resources

• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
• https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
• https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-auditlog-overview?view=graph-rest-1.0