LoFP / legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.

Techniques

• T1078
• T1078.004
• T1586
• T1586.003
• T1621

Sample rules

AWS Console Login Failed During MFA Challenge

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1621

Description

The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called additionalEventData that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.

Detection logic

`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes" 
| stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `aws_console_login_failed_during_mfa_challenge_filter`

Azure AD Authentication Failed During MFA Challenge

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1078
  • T1078.004
  • T1621

Description

The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.

Detection logic

 `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 
| rename properties.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_authentication_failed_during_mfa_challenge_filter`

GCP Authentication Failed During MFA Challenge

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1078
  • T1078.004
  • T1621

Description

The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.

Detection logic

 `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` 
| stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method 
| `gcp_authentication_failed_during_mfa_challenge_filter`