Techniques
Sample rules
AWS Console Login Failed During MFA Challenge
- source: splunk
- technicques:
- T1586
- T1586.003
- T1621
Description
The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called additionalEventData
that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.
Detection logic
`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes"
| stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_console_login_failed_during_mfa_challenge_filter`
Azure AD Authentication Failed During MFA Challenge
- source: splunk
- technicques:
- T1586
- T1586.003
- T1078
- T1078.004
- T1621
Description
The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.
Detection logic
`azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121
| rename properties.* as *
| stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_authentication_failed_during_mfa_challenge_filter`
GCP Authentication Failed During MFA Challenge
- source: splunk
- technicques:
- T1586
- T1586.003
- T1078
- T1078.004
- T1621
Description
The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.
Detection logic
`gws_reports_login` event.name=login_failure `gws_login_mfa_methods`
| stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method
| `gcp_authentication_failed_during_mfa_challenge_filter`