← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential MFA Bypass Using Legacy Client Authentication

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1078.004T1110
Rule sourcerules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml
title: Potential MFA Bypass Using Legacy Client Authentication
id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
status: test
description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
references:
    - https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
    - https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-03-20
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-evasion
    - attack.initial-access
    - attack.credential-access
    - attack.t1078.004
    - attack.t1110
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: 'Success'
        userAgent|contains:
            - 'BAV2ROPC'
            - 'CBAinPROD'
            - 'CBAinTAR'
    condition: selection
falsepositives:
    - Known Legacy Accounts
level: high