TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Hunting for M365 Password Spraying | Huntress

2024-10-03 · Read original ↗

ATT&CK techniques detected

9 predictions
T1110.003Password Spraying
99%
“typically when looking at m365 sign - in telemetry, those of us on the defensive end are often quick to dismiss asn values that match up with legitimate cloud services. after all, why should a login from a microsoft - owned asn block be considered suspicious? the proliferation of…”
T1110.003Password Spraying
99%
“” capabilities to randomize authentication attempts. “ jitters ” seek to add randomized time intervals between login attempts tools such as trevorspray have built - in jitter and delay capabilities to avoid temporal - based detections as well as any lockout policies : other tools…”
T1110.003Password Spraying
98%
“between it and a brute force attack, particularly when viewed from a hunting point of view. let ’ s take a look at a visual thought pattern for hunting password spraying and contrast this to the previous thought pattern regarding hunting brute force attacks : although we ’ re mos…”
T1110.003Password Spraying
98%
“it was determined that some type of credential theft did indeed occur, and the customers were notified immediately, as seen in figure 8 : staying protected although we at huntress love threat hunting adventures, we would strongly prefer to find zero compromises when pursuing the …”
T1110.003Password Spraying
98%
“hunting for m365 password spraying | huntress on january 19, 2024 microsoft released a statement regarding the threat actor group named “ midnight blizzard ” — this state - sponsored actor was observed by microsoft as performing password spraying against a legacy tenant, from whi…”
T1110.003Password Spraying
98%
“, we assume that the victim user has a valid session to the m365 environment, so we can look at aspects such as multiple user agents, operating systems, or ip organizations / asns in use by a singular session id. however, a user who ’ s been idle within an m365 environment can st…”
T1110.003Password Spraying
97%
“password spraying falls under the “ brute force ( t1110 ) ” technique. this organization makes complete sense from an att & ck matrix and logical grouping standpoint. however, when looking at brute forcing ( t1110 ) versus password spraying ( t1110. 003 ) through a threat - hunti…”
T1110.003Password Spraying
97%
“detections that looked for multiple authentication events from a single ip address. these newer password spraying tactics now involve the use of cloud services such as the amazon web services ( aws ) api gateway or github actions to rotate ip addresses upon every authentication a…”
T1525Implant Internal Image
69%
“below contain a redacted screenshot of a compromised identity discovered through proactive hunting efforts. we can see that a vpn was used to perform authentication, the suspicious programmatic user agent sticks out a bit, and we see authentications from two states. of course, on…”

Summary

Join Huntress Threat Hunters as they unpack the password-spraying techniques of threat actors, exposing how they target everything from small businesses to giants like Microsoft.