Query Details

Password Change After Succesful Brute Force

Query

let FailedLogonsThreshold = 20;
let SuccessfulLogonsThreshold = 1;
let TimeWindow = 15m;
// Time between the succesful brute force and password change. Difference should be added in minutes
let SearchWindow = 120;
IdentityLogonEvents
// Filter emtpy UPN
| where isnotempty(AccountUpn)
| summarize
    TotalAttempts = count(),
    SuccessfulAttempts = countif(ActionType == "LogonSuccess"),
    FailedAttempts = countif(ActionType == "LogonFailed")
    by bin(Timestamp, TimeWindow), AccountUpn
// Use variables to define brute force attack
| where SuccessfulAttempts >= SuccessfulLogonsThreshold and FailedAttempts >= FailedLogonsThreshold
// join password changes
| join kind=inner (IdentityDirectoryEvents
    | where Timestamp > ago(30d)
    | where ActionType == "Account Password changed"
    | where isnotempty(TargetAccountUpn)
    | extend PasswordChangeTime = Timestamp
    | project PasswordChangeTime, TargetAccountUpn)
    on $left.AccountUpn == $right.TargetAccountUpn
// Collect timedifference between brute force (note that is uses the bin time) and the password change
| extend TimeDifference = datetime_diff('minute', PasswordChangeTime, Timestamp)
// Remove all entries where the password change took place before the brute force
| where TimeDifference > 0
| where TimeDifference <= SearchWindow

About this query

Explanation

This query is designed to detect a security threat where an attacker successfully performs a brute force attack on an account and then changes the password to maintain access. Here's a simplified breakdown of what the query does:

  1. Thresholds and Time Windows:

    • It sets thresholds for failed and successful login attempts to identify potential brute force attacks.
    • It defines a time window to check for these login attempts and a search window to find password changes after a successful brute force.
  2. Logon Events Analysis:

    • It looks at login events to count how many times an account had failed and successful login attempts within a specified time window.
    • It filters out accounts that meet the criteria for a brute force attack (i.e., a high number of failed attempts followed by at least one successful attempt).
  3. Password Change Detection:

    • It checks for password change events within a certain period after the successful brute force attack.
    • It ensures that the password change happened after the brute force attack and within the specified search window.
  4. Result:

    • The query identifies accounts that have been compromised through brute force and had their passwords changed shortly after, indicating a potential security breach.

This query helps security teams detect and respond to account manipulation threats by highlighting suspicious activity patterns.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityLogonEventsIdentityDirectoryEvents

Keywords

IdentityLogonEventsAccountPasswordUpnTargetChangeTimeGenerated

Operators

letIdentityLogonEventswhereisnotemptysummarizecountcountifbybinjoinkindinneragoextendprojectondatetime_diff

MITRE Techniques

Actions

GitHub