Techniques
Sample rules
O365 New MFA Method Registered
- source: splunk
- technicques:
- T1098.005
Description
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account within Office 365. It leverages O365 audit logs to identify changes in MFA configurations. This activity is significant as it may indicate an attacker’s attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges or access sensitive data. Immediate verification and remediation are required to secure the affected account.
Detection logic
`o365_management_activity`
Workload=AzureActiveDirectory
Operation="Update user."
| eval propertyName = mvindex('ModifiedProperties{}.Name', 0)
| search propertyName IN ("StrongAuthenticationMethod", "StrongAuthenticationPhoneAppDetail")
| eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0)
| eval newvalue = mvindex('ModifiedProperties{}.NewValue',0)
| rex field=newvalue max_match=0 "(?i)(?<new_method_type>MethodType
|DeviceName)"
| rex field=oldvalue max_match=0 "(?i)(?<old_method_type>MethodType
|DeviceName)"
| eval count_new_method_type = coalesce(mvcount(new_method_type), 0)
| eval count_old_method_type = coalesce(mvcount(old_method_type), 0)
| where count_new_method_type > count_old_method_type
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(propertyName) as propertyName
by user newvalue oldvalue vendor_account
vendor_product dest signature src
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_new_mfa_method_registered_filter`