Azure AD Multiple AppIDs and UserAgents Authentication Spike
Detects anomalous Azure AD authentication activity characterized by a single user exceeding 8 authentication attempts, utilizing 3+ unique application IDs and 5+ unique user agents within a 5-minute window, potentially indicating MFA probing or account compromise.
This analytic identifies suspicious authentication patterns in Azure Active Directory. It focuses on scenarios where a single user account exhibits a rapid succession of authentication attempts, originating from multiple application IDs and user agents. This behavior deviates significantly from typical user activity and may indicate an adversary attempting to bypass or probe multi-factor authentication (MFA) implementations. The activity is detected by monitoring Azure AD audit logs for sign-in events and applying statistical thresholds to identify outliers. Successful exploitation could lead to account compromise, enabling lateral movement, data exfiltration, and further malicious actions within the Azure environment. Early detection and response are crucial to mitigate the potential impact of such attacks.
Attack Chain
- The attacker gains initial access to a user's credentials through phishing, credential stuffing, or other means.
- The attacker attempts to authenticate to Azure AD using the compromised credentials.
- Azure AD prompts for multi-factor authentication (MFA).
- The attacker uses automated tools or scripts to repeatedly attempt authentication, cycling through different application IDs and user agents, attempting to bypass MFA or identify vulnerabilities in its configuration.
- Azure AD logs each authentication attempt in the SignInLogs, capturing details about the user, application, and user agent involved.
- If successful in bypassing MFA, the attacker gains access to the user's account and resources within Azure AD.
- The attacker leverages the compromised account to perform reconnaissance, identify sensitive data, or move laterally to other resources within the Azure environment.
- The attacker exfiltrates data, deploys malware, or performs other malicious actions to achieve their objectives.
Impact
A successful attack can result in the compromise of user accounts and sensitive data within the Azure Active Directory environment. This can lead to unauthorized access to resources, data breaches, and disruption of business operations. The scope of impact can range from individual accounts to entire organizations, depending on the attacker's objectives and the extent of access gained. A compromised account allows lateral movement and privilege escalation.
Recommendation
- Deploy the Sigma rule
Azure AD Multiple AppIDs and UserAgents Authentication Spiketo your SIEM and tune the thresholds (count > 5, unique_app_ids > 2, unique_user_agents > 5) based on your environment's baseline activity. - Investigate any alerts generated by the Sigma rule by examining the user's authentication history, application usage, and user agent details to determine the legitimacy of the activity.
- Implement and enforce strong MFA policies for all users, as probing for MFA inconsistencies (https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/) is a likely precursor to account compromise.
- Monitor Azure AD sign-in logs (Azure Active Directory Sign-in activity) for unusual patterns, such as a high volume of failed authentication attempts, logins from unfamiliar locations, or use of suspicious user agents.
Detection coverage 2
Azure AD Multiple AppIDs and UserAgents Authentication Spike
highDetects a spike in Azure AD authentication attempts from a single user account using multiple AppIDs and User Agents, indicative of potential MFA probing or account compromise.
Azure AD Sign-in from Multiple Geolocation
mediumDetects sign-in attempts from a single user originating from multiple distinct geographic locations within a short timeframe, potentially indicating account compromise.
Detection queries are available on the platform. Get full rules →