LoFP / automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.

Techniques

• T1110

Sample rules

Potential Password Spraying of Microsoft 365 User Accounts

• source: elastic
• technicques:
  • T1110

Description

Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.

Detection logic

event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")

O365 Excessive Single Sign-On Logon Errors

• source: elastic
• technicques:
  • T1110

Description

Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.

Detection logic

event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"

Attempts to Brute Force a Microsoft 365 User Account

• source: elastic
• technicques:
  • T1110

Description

Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.

Detection logic

event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and
  event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and
  not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or
                             UserStrongAuthClientAuthNRequired or InvalidReplyTo)

AWS Management Console Brute Force of Root User Identity

• source: elastic
• technicques:
  • T1110

Description

Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.

Detection logic

event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure

Okta Brute Force or Password Spraying Attack

• source: elastic
• technicques:
  • T1110

Description

Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.

Detection logic

event.dataset:okta.system and event.category:authentication and event.outcome:failure