Azure AD Multi-Factor Authentication Disabled
Description
The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication
- Last Updated: 2023-12-20
- Author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
- ID: 482dd42a-acfa-486b-a0bb-d6fcda27318e
Annotations
ATT&CK
Kill Chain Phase
- Weaponization
- Exploitation
- Installation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
`azure_monitor_aad` category=AuditLogs operationName="Disable Strong Authentication"
| rename properties.* as *
| rename targetResources{}.type as type
| rename initiatedBy.user.userPrincipalName as initiatedBy
| stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multi_factor_authentication_disabled_filter`
Macros
The SPL above uses the following Macros:
azure_ad_multi-factor_authentication_disabled_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- user
- properties.targetResources{}.type
- properties.initiatedBy.user.userPrincipalName
- properties.result
How To Implement
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.
Known False Positives
Legitimate use case may require for users to disable MFA. Filter as needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
45.0 | 50 | 90 | MFA disabled for User $user$ initiated by $initiatedBy$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
- https://attack.mitre.org/tactics/TA0005/
- https://attack.mitre.org/techniques/T1556/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2