O365 Multiple AppIDs and UserAgents Authentication Spike

Try in Splunk Security Cloud

Description

The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-05-12
• Author: Mauricio Velazco, Splunk
• ID: 66adc486-224d-45c1-8e4d-9e7eeaba988f

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access

Kill Chain Phase

• Exploitation
• Installation
• Delivery

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

 `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) 
| bucket span=5m _time 
| stats  dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip 
| where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2 
| `o365_multiple_appids_and_useragents_authentication_spike_filter`

Macros

The SPL above uses the following Macros:

• o365_management_activity

o365_multiple_appids_and_useragents_authentication_spike_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Workload
• Operation
• ApplicationId
• UserAgent
• OS

How To Implement

You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.

Known False Positives

Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.

Associated Analytic Story

• Office 365 Account Takeover

RBA

Risk Score	Impact	Confidence	Message
48.0	60	80	$user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1078/
• https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/
• https://github.com/dafthack/MFASweep
• https://www.youtube.com/watch?v=SK1zgqaAZ2E

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2