Name:Azure AD Multiple Denied MFA Requests For User id:d0895c20-de71-4fd2-b56c-3fcdb888eba1 version:4 date:2024-09-30 author:Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 and additional details indicating "MFA denied; user declined the authentication." This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities. Data_source:
-Azure Active Directory Sign-in activity
search:`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" | rename properties.* as * | search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication" | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter`
how_to_implement:You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. known_false_positives:Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed. References: -https://www.mandiant.com/resources/blog/russian-targeting-gov-business -https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ -https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/ -https://attack.mitre.org/techniques/T1621/ -https://attack.mitre.org/techniques/T1078/004/ -https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Azure Active Directory Account Takeover' asset_type:Azure Active Directory confidence:90 impact:60 atomic_guid: message:User $user$ denied more than 9 MFA requests in a timespan of 10 minutes. mitre_attack_id: - 'T1621' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:54 required_fields: - '_time' - 'category' - 'properties.status.errorCode' - 'properties.status.additionalDetails' - 'user' - 'properties.appDisplayName' - 'user_agent' security_domain:identity
