Azure AD Multiple Denied MFA Requests For User

Try in Splunk Security Cloud

Description

The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 and additional details indicating "MFA denied; user declined the authentication." This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-05-18
• Author: Mauricio Velazco, Splunk
• ID: d0895c20-de71-4fd2-b56c-3fcdb888eba1

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1621	Multi-Factor Authentication Request Generation	Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" 
| rename properties.* as * 
| search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication" 
| bucket span=10m _time 
| stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent 
| where count > 9 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_multiple_denied_mfa_requests_for_user_filter`

Macros

The SPL above uses the following Macros:

• azure_monitor_aad
• security_content_ctime

azure_ad_multiple_denied_mfa_requests_for_user_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• category
• properties.status.errorCode
• properties.status.additionalDetails
• user
• properties.appDisplayName
• user_agent

How To Implement

You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.

Known False Positives

Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.

Associated Analytic Story

• Azure Active Directory Account Takeover

RBA

Risk Score	Impact	Confidence	Message
54.0	60	90	User $user$ denied more than 9 MFA requests in a timespan of 10 minutes.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.mandiant.com/resources/blog/russian-targeting-gov-business
• https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/
• https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/
• https://attack.mitre.org/techniques/T1621/
• https://attack.mitre.org/techniques/T1078/004/
• https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 3