diff --git a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml new file mode 100644 index 0000000000..4f675e3670 --- /dev/null +++ b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml @@ -0,0 +1,64 @@ +name: Azure AD Multiple Denied MFA Requests For User +id: d0895c20-de71-4fd2-b56c-3fcdb888eba1 +version: 1 +date: '2023-10-31' +author: Mauricio Velazco, Splunk +status: production +type: TTP +data_source: [] +description: This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. +search: '`azure_monitor_aad` category=SignInLogs category="Sign-in activity" + | rename properties.* as * + | search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication" + | bucket span=10m _time + | stats dc(_raw) AS mfa_prompts earliest(_time) as firstTime latest(_time) as lastTime by user, status.additionalDetails, appDisplayName, userAgent, _time + | where mfa_prompts > 9 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `azure_ad_multiple_denied_mfa_requests_for_user_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. +known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES +references: +- https://www.mandiant.com/resources/blog/russian-targeting-gov-business +- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +- https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/ +- https://attack.mitre.org/techniques/T1621/ +- https://attack.mitre.org/techniques/T1078/004/ +tags: + analytic_story: + - Azure Active Directory Account Takeover + asset_type: Azure Active Directory + confidence: 90 + impact: 60 + atomic_guid: [] + message: User $user$ denied more than 9 MFA requests in a timespan of 10 minutes. + mitre_attack_id: + - T1621 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 54 + required_fields: + - _time + - category + - category + - properties.status.errorCode + - properties.status.additionalDetails + - user + - properties.appDisplayName + - properties.userAgent + security_domain: identity +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log + source: Azure AD + sourcetype: azure:monitor:aad