Techniques
Sample rules
Azure AD New MFA Method Registered
- source: splunk
- technicques:
- T1098.005
Description
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account in Azure Active Directory. It leverages Azure AD audit logs to identify changes in MFA configurations. This activity is significant because adding a new MFA method can indicate an attacker’s attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges, access sensitive data, or make unauthorized changes. Immediate verification and remediation are required to secure the affected account.
Detection logic
`azure_monitor_aad` operationName="Update user"
| rename properties.* as *
| eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName',0)
| search propertyName = StrongAuthenticationMethod
| eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0)
| eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0)
| rex field=newvalue max_match=0 "(?i)(?<new_method_type>\"MethodType\")"
| rex field=oldvalue max_match=0 "(?i)(?<old_method_type>\"MethodType\")"
| eval count_new_method_type = coalesce(mvcount(new_method_type), 0)
| eval count_old_method_type = coalesce(mvcount(old_method_type), 0)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product newvalue oldvalue signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_new_mfa_method_registered_filter`
O365 New MFA Method Registered
- source: splunk
- technicques:
- T1098.005
Description
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account within Office 365. It leverages O365 audit logs to identify changes in MFA configurations. This activity is significant as it may indicate an attacker’s attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges or access sensitive data. Immediate verification and remediation are required to secure the affected account.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory Operation="Update user."
| eval propertyName = mvindex('ModifiedProperties{}.Name', 0)
| search propertyName = StrongAuthenticationMethod
| eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0)
| eval newvalue = mvindex('ModifiedProperties{}.NewValue',0)
| rex field=newvalue max_match=0 "(?i)(?<new_method_type>\"MethodType\")"
| rex field=oldvalue max_match=0 "(?i)(?<old_method_type>\"MethodType\")"
| eval count_new_method_type = coalesce(mvcount(new_method_type), 0)
| eval count_old_method_type = coalesce(mvcount(old_method_type), 0)
| where count_new_method_type > count_old_method_type
| fillnull
| stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue vendor_account vendor_product dest signature src
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_new_mfa_method_registered_filter`