Nicholas Anastasi is Speaking at GrassR00tz on June 6

Sprocket is excited to be sponsoring GrassR00tz. This is a 1 day security conference, with 3 speaking tracks, is a great opportunity for learning, networking, CPE's and giving. This event will take place at https://www.fvtc.edu/ in Appleton, WI.

Sprocket's own Nicholas Anastasi will present "What the Hell is Azure Ad Smart Lockout?" at the conference this year.

Abstract

Password spraying has always been one of the cornerstones of any penetration tester’s tool belt. With the advent of cloud-hosted services and a diabolical plot by Microsoft to lock all organizations into a lifelong monthly subscription service, attackers have begun to face modern security controls that are on to our nefarious tactics. Microsoft has built controls into their authentication endpoints to detect and block password spraying attempts at scale. The controls are on by default and protect every organization utilizing their services. The days of spraying Microsoft Exchange, accessing the VPN, and grabbing domain admin in under eight hours are over.

Microsoft has bragged for years now that they process millions of login attempts daily and have built security controls to detect even the most evasive password-spraying methodologies. These detection techniques depend on supervised machine-learning models. They have coined this machine learning model, which is mainly shrouded in mystery, Azure AD Smart Lockout. Let’s try to beat it.

Machine learning models used for detection always have an edge case and breaking point. Using modern web scraping technologies and unique evasion techniques, it is possible to very closely mimic real work user authentication attempts, making detection of password spraying extremely difficult for Microsoft.

During this talk, we will be breaking down what we believe is the process Microsoft uses to facilitate Azure AD Smart Lockout and attempt to bypass it to allow for password spraying attacks at scale. Using these techniques tactfully, an attacker could successfully guess their way into user accounts like in the olden days. We might not get domain administrator access, but we can still show a lot of impact.

Even if Microsoft successfully begins to detect these evasion techniques, and they will, you should walk away from this talk with a better knowledge of what SaaS platforms are doing to protect your user accounts. If we just figured this all out, actual threat groups and APTs probably have been doing it for years. At the end of the presentation, it should become clear that an in-depth defense strategy is critical to securing an organization, and depending on the big five to protect your users out of the box isn’t the way to go.

About Nicholas Anastasi

Nicholas Anastasi started his career in cybersecurity at Sprocket Security and hasn’t looked back. Continuous Penetration Testing is all he knows, and during his day-to-day, he leads the penetration testing team, writes a ton of Python, and works tirelessly to improve the Continuous Penetration Testing process. In his free time, Nicholas enjoys running, eating too much candy, and working on his homelab.

About GrassR00tz

This is a Northeast Wisconsin security conference put on by security professionals for security professionals with the following objectives:

• EDUCATION: Whether you need CPE's for a certification or just want to hear what other local security pros are thinking about, we would like this to be a place to discuss.
• CHARITY: We've all received so much from the community at large, we also want to find ways to give back.
• COMMUNITY: We want to foster a sense of community with local security professionals. A community of trust and transparency so that all may get better at our chosen profession.

For tickets, agenda information, and more please visit https://www.grassr00tz.com/

---

Media Contact

Marketing, Sprocket Security
marketing@sprocketsecurity.com