O365 Multiple AppIDs and UserAgents Authentication Spike
Description
The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-05-12
- Author: Mauricio Velazco, Splunk
- ID: 66adc486-224d-45c1-8e4d-9e7eeaba988f
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
- Installation
- Delivery
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed)
| bucket span=5m _time
| stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip
| where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2
| `o365_multiple_appids_and_useragents_authentication_spike_filter`
Macros
The SPL above uses the following Macros:
o365_multiple_appids_and_useragents_authentication_spike_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Workload
- Operation
- ApplicationId
- UserAgent
- OS
How To Implement
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
48.0 | 60 | 80 | $user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1078/
- https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/
- https://github.com/dafthack/MFASweep
- https://www.youtube.com/watch?v=SK1zgqaAZ2E
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2