-
Notifications
You must be signed in to change notification settings - Fork 375
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
64 additions
and
0 deletions.
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| name: Azure AD Multiple Denied MFA Requests For User | ||
| id: d0895c20-de71-4fd2-b56c-3fcdb888eba1 | ||
| version: 1 | ||
| date: '2023-10-31' | ||
| author: Mauricio Velazco, Splunk | ||
| status: production | ||
| type: TTP | ||
| data_source: [] | ||
| description: This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. | ||
| search: '`azure_monitor_aad` category=SignInLogs category="Sign-in activity" | ||
| | rename properties.* as * | ||
| | search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication" | ||
| | bucket span=10m _time | ||
| | stats dc(_raw) AS mfa_prompts earliest(_time) as firstTime latest(_time) as lastTime by user, status.additionalDetails, appDisplayName, userAgent, _time | ||
| | where mfa_prompts > 9 | ||
| | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)` | ||
| | `azure_ad_multiple_denied_mfa_requests_for_user_filter`' | ||
| how_to_implement: You must install the latest version of Splunk Add-on for Microsoft | ||
| Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. | ||
| This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. | ||
| known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES | ||
| references: | ||
| - https://www.mandiant.com/resources/blog/russian-targeting-gov-business | ||
| - https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ | ||
| - https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/ | ||
| - https://attack.mitre.org/techniques/T1621/ | ||
| - https://attack.mitre.org/techniques/T1078/004/ | ||
| tags: | ||
| analytic_story: | ||
| - Azure Active Directory Account Takeover | ||
| asset_type: Azure Active Directory | ||
| confidence: 90 | ||
| impact: 60 | ||
| atomic_guid: [] | ||
| message: User $user$ denied more than 9 MFA requests in a timespan of 10 minutes. | ||
| mitre_attack_id: | ||
| - T1621 | ||
| observable: | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| risk_score: 54 | ||
| required_fields: | ||
| - _time | ||
| - category | ||
| - category | ||
| - properties.status.errorCode | ||
| - properties.status.additionalDetails | ||
| - user | ||
| - properties.appDisplayName | ||
| - properties.userAgent | ||
| security_domain: identity | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log | ||
| source: Azure AD | ||
| sourcetype: azure:monitor:aad |