KQL Search

Query Details

HUNT 02 ADFS Password Spray Suspects 14d

Query

id: a1f00002-0002-4002-9002-adfs00000002
name: HUNT-02 ADFS Password Spray Suspects (14d)
description: |
  14-day rollup of single-IP password spray candidates (bad-password +
  user-not-found error families) hitting ADFS. Useful for retro-hunting
  campaigns that fell under RULE-02/03 thresholds.
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - ADFSSignInLogs
tactics:
  - CredentialAccess
relevantTechniques:
  - T1110.003
query: |
  let SprayErrors = dynamic(["50126", "50034", "50053", "396083"]);
  ADFSSignInLogs
  | invoke ExcludeAllowlistedIPs()
  | where TimeGenerated > ago(14d)
  | where ResultType in (SprayErrors)
  | summarize
      Attempts        = count(),
      UniqueUsers     = dcount(UserPrincipalName),
      Users           = make_set(UserPrincipalName, 25),
      ResultTypes     = make_set(ResultType, 10),
      Countries       = make_set(Location, 10),
      FirstSeen       = min(TimeGenerated),
      LastSeen        = max(TimeGenerated),
      DistinctDays    = dcount(startofday(TimeGenerated))
    by IPAddress
  | where UniqueUsers >= 5
  | extend SustainedCampaign = DistinctDays >= 3
  | order by UniqueUsers desc, Attempts desc

Explanation

This query is designed to identify potential password spray attacks targeting Active Directory Federation Services (ADFS) over a 14-day period. Here's a breakdown of what it does in simple terms:

  1. Purpose: The query aims to detect IP addresses that might be attempting password spray attacks, which involve trying multiple passwords against many accounts to gain unauthorized access.

  2. Data Source: It uses logs from ADFS sign-ins, specifically looking at error codes that indicate failed login attempts due to incorrect passwords or non-existent users.

  3. Process:

    • It filters out any IP addresses that are on an allowlist.
    • It focuses on log entries from the past 14 days.
    • It looks for specific error codes that suggest password spray attempts.

  4. Analysis:

    • It counts the total number of login attempts from each IP address.
    • It identifies how many unique users were targeted by each IP.
    • It collects a list of up to 25 unique users and 10 error types associated with each IP.
    • It notes the countries from which these attempts originated.
    • It records the first and last time each IP was seen attempting a login.
    • It calculates how many distinct days each IP was active.

  5. Criteria for Concern:

    • An IP address is flagged if it has targeted at least 5 unique users.
    • It checks if the activity was sustained over at least 3 different days.

  6. Output:

    • The results are sorted to show IP addresses with the most unique users targeted and the highest number of attempts first.

This query helps security teams identify and investigate potential password spray attacks, allowing them to take action to protect their systems.

Details

David Alonso profile picture

David Alonso

Released: May 13, 2026

Tables

ADFSSignInLogs

Keywords

ADFSADFSSignInLogsIPAddressUserPrincipalNameLocationTimeGenerated

Operators

letdynamicinvokeExcludeAllowlistedIPswhereinsummarizecountdcountmake_setminmaxstartofdaybyextendorder bydesc

Actions