Techniques
Sample rules
GCP Multi-Factor Authentication Disabled
- source: splunk
- technicques:
- T1586
- T1586.003
- T1556
- T1556.006
Description
The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.
Detection logic
`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH
| stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gcp_multi_factor_authentication_disabled_filter`
Azure AD Multi-Factor Authentication Disabled
- source: splunk
- technicques:
- T1586
- T1586.003
- T1556
- T1556.006
Description
The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.
Detection logic
`azure_monitor_aad` category=AuditLogs operationName="Disable Strong Authentication"
| rename properties.* as *
| rename targetResources{}.type as type
| rename initiatedBy.user.userPrincipalName as initiatedBy
| stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multi_factor_authentication_disabled_filter`