Techniques
Sample rules
Azure AD Multiple Denied MFA Requests For User
- source: splunk
- technicques:
- T1621
Description
This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on “Sign-in activity” events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating “MFA denied; user declined the authentication.” The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user’s credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user’s account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization’s assets.
Detection logic
`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity"
| rename properties.* as *
| search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication"
| bucket span=10m _time
| stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent
| where count > 9
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_denied_mfa_requests_for_user_filter`