Active Directory: Password change after succesful brute force

Bert-JanP · Bert-JanP · commit d20738750f53 · 2023-08-16T07:55:53.000+02:00
diff --git a/Defender For Identity/PasswordChangeAfterSuccesfulBruteForce.md b/Defender For Identity/PasswordChangeAfterSuccesfulBruteForce.md
@@ -0,0 +1,88 @@
+# Password change after succesful brute force
+
+## Query Information
+
+#### MITRE ATT&CK Technique(s)
+
+| Technique ID | Title    | Link    |
+| ---  | --- | --- |
+| T1098 | Account Manipulation | https://attack.mitre.org/techniques/T1098/ |
+| T1110 | Brute Force | https://attack.mitre.org/techniques/T1110/ |
+
+#### Description
+Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. This query combines the brute force indicators with a followed password change after the adversary has gained access to an account. 
+
+The query uses a variety of different variables which determine the result.
+- *FailedLogonsThreshold* - The minimum amount of failed logons.
+- *SuccessfulLogonsThreshold* - The minimum amount of successful logons.
+- *TimeWindow* - Timewindow in which the failed and successful thresholds must be met.
+- *SearchWindow* - Time between the successful brute force and the password change.
+
+#### Risk
+An adversary has successfully performed a brute force on an account and changes the password to keep persistence
+
+#### References
+- https://attack.mitre.org/datasources/DS0002/#User%20Account%20Modification
+
+## Defender For Endpoint
+```
+let FailedLogonsThreshold = 20;
+let SuccessfulLogonsThreshold = 1;
+let TimeWindow = 15m;
+// Time between the succesful brute force and password change. Difference should be added in minutes
+let SearchWindow = 120;
+IdentityLogonEvents
+// Filter emtpy UPN
+| where isnotempty(AccountUpn)
+| summarize
+    TotalAttempts = count(),
+    SuccessfulAttempts = countif(ActionType == "LogonSuccess"),
+    FailedAttempts = countif(ActionType == "LogonFailed")
+    by bin(Timestamp, TimeWindow), AccountUpn
+// Use variables to define brute force attack
+| where SuccessfulAttempts >= SuccessfulLogonsThreshold and FailedAttempts >= FailedLogonsThreshold
+// join password changes
+| join kind=inner (IdentityDirectoryEvents
+    | where Timestamp > ago(30d)
+    | where ActionType == "Account Password changed"
+    | where isnotempty(TargetAccountUpn)
+    | extend PasswordChangeTime = Timestamp
+    | project PasswordChangeTime, TargetAccountUpn)
+    on $left.AccountUpn == $right.TargetAccountUpn
+// Collect timedifference between brute force (note that is uses the bin time) and the password change
+| extend TimeDifference = datetime_diff('minute', PasswordChangeTime, Timestamp)
+// Remove all entries where the password change took place before the brute force
+| where TimeDifference > 0
+| where TimeDifference <= SearchWindow
+```
+## Sentinel
+```
+let FailedLogonsThreshold = 20;
+let SuccessfulLogonsThreshold = 1;
+let TimeWindow = 15m;
+// Time between the succesful brute force and password change. Difference should be added in minutes
+let SearchWindow = 120;
+IdentityLogonEvents
+// Filter emtpy UPN
+| where isnotempty(AccountUpn)
+| summarize
+    TotalAttempts = count(),
+    SuccessfulAttempts = countif(ActionType == "LogonSuccess"),
+    FailedAttempts = countif(ActionType == "LogonFailed")
+    by bin(TimeGenerated, TimeWindow), AccountUpn
+// Use variables to define brute force attack
+| where SuccessfulAttempts >= SuccessfulLogonsThreshold and FailedAttempts >= FailedLogonsThreshold
+// join password changes
+| join kind=inner (IdentityDirectoryEvents
+    | where TimeGenerated > ago(30d)
+    | where ActionType == "Account Password changed"
+    | where isnotempty(TargetAccountUpn)
+    | extend PasswordChangeTime = TimeGenerated
+    | project PasswordChangeTime, TargetAccountUpn)
+    on $left.AccountUpn == $right.TargetAccountUpn
+// Collect timedifference between brute force (note that is uses the bin time) and the password change
+| extend TimeDifference = datetime_diff('minute', PasswordChangeTime, TimeGenerated)
+// Remove all entries where the password change took place before the brute force
+| where TimeDifference > 0
+| where TimeDifference <= SearchWindow
+```
diff --git a/MITRE ATT&CK/Mapping.md b/MITRE ATT&CK/Mapping.md
@@ -26,9 +26,10 @@ This section only includes references to queries that can be mapped in the MITRE
 
 | Technique ID | Title    | Query    |
 | ---  | --- | --- |
+| T1098 | Account Manipulation | [Password Change After Succesful Brute Force](../Defender%20For%20Identity/PasswordChangeAfterSuccesfulBruteForce.md)|
 | T1136.001 | Create Account: Local Account | [Local Account Creation](../Defender%20For%20Endpoint/LocalAccountCreated.md) |
 | T1136.003 | Create Account: Cloud Account | [Cloud Persistence Activity By User AtRisk](../Azure%20Active%20Directory/CloudPersistenceActivityByUserAtRisk.md) |
-|  T1078.004 | Valid Accounts: Cloud Accounts | [Cloud Persistence Activity By User AtRisk](../Azure%20Active%20Directory/CloudPersistenceActivityByUserAtRisk.md)|
+| T1078.004 | Valid Accounts: Cloud Accounts | [Cloud Persistence Activity By User AtRisk](../Azure%20Active%20Directory/CloudPersistenceActivityByUserAtRisk.md)|
 | T1137 | Office Application Startup | [ASR Executable Office Content](../Defender%20For%20Endpoint/ASR%20Rules/AsrExecutableOfficeContent.md) |
 
 ## Privilege Escalation
@@ -58,6 +59,7 @@ This section only includes references to queries that can be mapped in the MITRE
 
 | Technique ID | Title    | Query    |
 | ---  | --- | --- |
+| T1110 | Brute Force | [Password Change After Succesful Brute Force](../Defender%20For%20Identity/PasswordChangeAfterSuccesfulBruteForce.md) |
 | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | [Potential Kerberos Encryption Downgrade](../Defender%20For%20Identity/PotentialKerberosEncryptionDowngrade.md) |
 
 ## Discovery
