Visualize Entra Password Spray Attack With ADX Interactive Map
Query
//Visualize Entra Password Spray Attack with ADX Interactive Map
//https://www.linkedin.com/pulse/visualize-entra-password-spray-attack-adx-interactive-steven-lim-dfonc/
//For those interested in visualizing password spray attack on the top picture chart, you can use the below KQL and view in "Chart" mode.
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == "50053" or ResultType == "50126"
| summarize PasswordSpray_Per_HalfHour=count() by bin (TimeGenerated, 30m)
//Replace the above blog's KQL with the below KQL to visualize Password Spray Attack locations.
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == "50053" or ResultType == "50126"
| where isnotempty(LocationDetails.geoCoordinates)
| extend Latitude = toreal(LocationDetails.geoCoordinates["latitude"])
| extend Longitude = toreal(LocationDetails.geoCoordinates["longitude"])
| summarize Count = count() by Longitude, Latitude
| project Longitude, Latitude, Count
| render scatterchart with (kind=map)
// MITRE ATT&CK Mapping
// The KQL code you provided is designed to detect and visualize password spray attacks. Here’s a breakdown of the associated MITRE ATT&CK techniques:
// Password Spray Detection:
// T1110.003 - Brute Force: Password Spraying: This technique involves attempting to gain unauthorized access to accounts by trying a few common passwords against many accounts. The first part of your KQL code detects password spray attacks by looking for specific result types (50053 and 50126) and summarizing the count of these events in 30-minute intervals.
// Geolocation of Password Spray Attacks:
// T1078 - Valid Accounts: The second part of your KQL code extends the detection by adding geolocation data to visualize where these password spray attempts are coming from. This helps in identifying potential sources of the attacks and can be useful for further investigation and response.Explanation
This query is designed to help you detect and visualize password spray attacks using data from SigninLogs. Here's a simple breakdown:
-
Detecting Password Spray Attacks:
- The query looks at login attempts from the past 7 days.
- It filters for specific result types (50053 and 50126), which indicate failed login attempts that could be part of a password spray attack.
- It counts how many of these attempts occur every 30 minutes, helping to identify patterns or spikes in activity.
-
Visualizing Attack Locations:
- The query further filters for login attempts that have geolocation data.
- It extracts latitude and longitude information from these attempts.
- It then counts the number of attempts from each location and plots them on a map as a scatter chart. This visualization helps identify where the attacks are originating from geographically.
-
MITRE ATT&CK Techniques:
- The query maps to specific MITRE ATT&CK techniques:
- T1110.003 (Password Spraying): The first part of the query detects password spray attacks by identifying failed login attempts.
- T1078 (Valid Accounts): The second part adds geolocation data to understand the source of these attacks, aiding in further investigation.
- The query maps to specific MITRE ATT&CK techniques:
Overall, this query helps security analysts monitor and respond to potential password spray attacks by providing both temporal and geographical insights.
