Brute-forced user has assigned a role

azure

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the azure integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Correlate a successful credential stuffing login with a user assumed a role.

Strategy

Correlate the Credential Stuffing Attack on Azure and Azure AD member assigned Global Administrator role signals based on the ARN: {{@userIdentity.arn}}.

Triage and response

  1. Set signal triage state to Under Review.
  2. Determine if the credential stuffing attack was successful.
    • If the login was not legitimate:
      • Investigate the user using the User Investigation Dashboard
      • Rotate credentials on the credential stuffed account
      • Enable MFA if it is not already enabled
    • If the login was legitimate:
      • Triage the signal as a false positive