AZT202 - Password Spraying

An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.

Resource

Azure Active Directory

Actions

N/A

Examples

Az PowerShell (Secret)Azure CLI

Connect-AzAccount

az login -u <username> -p <password>

Detections

Logs

Data Source	Application	Resource	Log Provider
Azure Active Directory	Azure Portal	Windows Azure Service Management API	SignInLogs
Azure Active Directory	Microsoft Azure PowerShell	Windows Azure Service Management API	SignInLogs

Detection Screenshots

Detection Notes

The main difference between a successful and unsuccessful login is the 'Status' field, which will designate a "Success" or "Failure".

Queries

Platform	Query
Log Analytics	SignInLogs | where UserId == 'IDGOESHERE'

Azure Monitor Alert

Additional Resources

• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
• https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
• https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-auditlog-overview?view=graph-rest-1.0