Brute force detection in Defender for Identity

Copper Contributor

Hi,

Defender for Identity and Sentinel both offer detection capabilities for brute force attacks such as password guessing and password spray (Mitre T1110).

 

Sentinel is detecting this technique simply by counting failed logon attempts (event id 4625). But that does not take into consideration if the attempts fail with different passwords for every attempt or if the password is the same for all attempts. The latter is commonly caused by misconfigurations and can lead to high volumes of false positives.

 

Does anybody know if Defender for Identity is capable to detect if authentication attempts are using the same or different passwords? Potentially by looking at the hashes during authentication? The documentation unfortunately does not specify that.

 

Thanks!

 

Defender for Identity

Suspected Brute Force attack (LDAP)

Suspected Brute Force attack (Kerberos, NTLM) 

 

Sentinel

Excessive Windows Logon Failures 

Multiple authentication failures followed by a success

 

2 Replies

@_Mathias_ Unfortunately not, there would be no way for even Defender for identity to know if the same password is being used or something different due to the password being encrypted and a random hash value being sent (from my understanding)

 

Best course of action here is to create a ML based analytic that detects how many attempts someone has made, how fast and within what time pattern

 

Check out the below for further information

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/anomaly-detection

@BillClarksonAntillThank you for your reply. My understanding is the same but I have observed the following and similar alerts from Defender for Identity in our environments:

An actor on Device XXX tried 25 passwords on User YYY.

Reading the title, I would assume that the actor has tried 25 different passwords and Defender was somehow able to determine that the passwords used were not the same in each attempt. Otherwise the title is somewhat misleading and should read something along the lines of 'An actor on Device XXX attempted to logon to User YYY 25 times.

Any thoughts?