Azure AD Multiple Denied MFA Requests For User
Description
The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 and additional details indicating "MFA denied; user declined the authentication." This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-05-18
- Author: Mauricio Velazco, Splunk
- ID: d0895c20-de71-4fd2-b56c-3fcdb888eba1
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity"
| rename properties.* as *
| search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication"
| bucket span=10m _time
| stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent
| where count > 9
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_denied_mfa_requests_for_user_filter`
Macros
The SPL above uses the following Macros:
azure_ad_multiple_denied_mfa_requests_for_user_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- category
- properties.status.errorCode
- properties.status.additionalDetails
- user
- properties.appDisplayName
- user_agent
How To Implement
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
Known False Positives
Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
54.0 | 60 | 90 | User $user$ denied more than 9 MFA requests in a timespan of 10 minutes. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://www.mandiant.com/resources/blog/russian-targeting-gov-business
- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/
- https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/
- https://attack.mitre.org/techniques/T1621/
- https://attack.mitre.org/techniques/T1078/004/
- https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 3