LoFP / although not recommended, certain users may be required without multi-factor authentication. filter as needed

Techniques

• T1078
• T1078.004
• T1586
• T1586.003

Sample rules

Azure AD Successful Single-Factor Authentication

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1078
  • T1078.004

Description

The following analytic identifies a successful single-factor authentication event against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment.

Detection logic

`azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true 
| rename properties.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement 
| `azure_ad_successful_single_factor_authentication_filter`

GCP Successful Single-Factor Authentication

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1078
  • T1078.004

Description

The following analytic identifies a successful single-factor authentication event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication (MFA) enabled. It uses Google Workspace login event data to detect instances where MFA is not utilized. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to GCP resources, potentially leading to data breaches, service disruptions, or further exploitation within the cloud environment.

Detection logic

`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` 
| stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip,  login_challenge_method, app, event.name, vendor_account, action 
|`security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `gcp_successful_single_factor_authentication_filter`