LoFP / legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.

Techniques

• T1078
• T1078.004
• T1586
• T1586.003
• T1621

Sample rules

GCP Authentication Failed During MFA Challenge

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1078
  • T1078.004
  • T1621

Description

The following analytic detects failed authentication attempts during the Multi-Factor Authentication (MFA) challenge on a Google Cloud Platform (GCP) tenant. It uses Google Workspace login failure events to identify instances where MFA methods were challenged but not successfully completed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials despite MFA protection. If confirmed malicious, this could lead to unauthorized access attempts, potentially compromising sensitive data and resources within the GCP environment.

Detection logic

`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` 
| stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method 
| `gcp_authentication_failed_during_mfa_challenge_filter`

AWS Console Login Failed During MFA Challenge

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1621

Description

The following analytic identifies failed authentication attempts to the AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages AWS CloudTrail logs, specifically the additionalEventData field, to detect when MFA was used but the login attempt still failed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing attempt to breach the account, potentially leading to unauthorized access and further attacks if MFA is bypassed.

Detection logic

`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes" 
| stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `aws_console_login_failed_during_mfa_challenge_filter`