Brute-forced user has assigned a role

azure

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the azure integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Correlate a successful credential stuffing login with a user assumed a role.

Strategy

Correlate the Credential Stuffing Attack on Azure and Azure AD member assigned Global Administrator role signals based on the ARN: {{@userIdentity.arn}}.

Triage and response

  1. Set signal triage state to Under Review.
  2. Determine if the credential stuffing attack was successful.
    • If the login was not legitimate:
      • Investigate the user using the User Investigation Dashboard
      • Rotate credentials on the credential stuffed account
      • Enable MFA if it is not already enabled
    • If the login was legitimate:
      • Triage the signal as a false positive