Password Change After Succesful Brute Force
Query
let FailedLogonsThreshold = 20;
let SuccessfulLogonsThreshold = 1;
let TimeWindow = 15m;
// Time between the succesful brute force and password change. Difference should be added in minutes
let SearchWindow = 120;
IdentityLogonEvents
// Filter emtpy UPN
| where isnotempty(AccountUpn)
| summarize
TotalAttempts = count(),
SuccessfulAttempts = countif(ActionType == "LogonSuccess"),
FailedAttempts = countif(ActionType == "LogonFailed")
by bin(Timestamp, TimeWindow), AccountUpn
// Use variables to define brute force attack
| where SuccessfulAttempts >= SuccessfulLogonsThreshold and FailedAttempts >= FailedLogonsThreshold
// join password changes
| join kind=inner (IdentityDirectoryEvents
| where Timestamp > ago(30d)
| where ActionType == "Account Password changed"
| where isnotempty(TargetAccountUpn)
| extend PasswordChangeTime = Timestamp
| project PasswordChangeTime, TargetAccountUpn)
on $left.AccountUpn == $right.TargetAccountUpn
// Collect timedifference between brute force (note that is uses the bin time) and the password change
| extend TimeDifference = datetime_diff('minute', PasswordChangeTime, Timestamp)
// Remove all entries where the password change took place before the brute force
| where TimeDifference > 0
| where TimeDifference <= SearchWindowAbout this query
Explanation
This query is designed to detect a security threat where an attacker successfully performs a brute force attack on an account and then changes the password to maintain access. Here's a simplified breakdown of what the query does:
-
Thresholds and Time Windows:
- It sets thresholds for failed and successful login attempts to identify potential brute force attacks.
- It defines a time window to check for these login attempts and a search window to find password changes after a successful brute force.
-
Logon Events Analysis:
- It looks at login events to count how many times an account had failed and successful login attempts within a specified time window.
- It filters out accounts that meet the criteria for a brute force attack (i.e., a high number of failed attempts followed by at least one successful attempt).
-
Password Change Detection:
- It checks for password change events within a certain period after the successful brute force attack.
- It ensures that the password change happened after the brute force attack and within the specified search window.
-
Result:
- The query identifies accounts that have been compromised through brute force and had their passwords changed shortly after, indicating a potential security breach.
This query helps security teams detect and respond to account manipulation threats by highlighting suspicious activity patterns.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
IdentityLogonEventsIdentityDirectoryEvents
Keywords
IdentityLogonEventsAccountPasswordUpnTargetChangeTimeGenerated
Operators
letIdentityLogonEventswhereisnotemptysummarizecountcountifbybinjoinkindinneragoextendprojectondatetime_diff