Skip to content
Threat Feed
medium advisory

Cisco Duo Admin Login from Unusual Browser

Detects Cisco Duo admin logins from browsers other than Chrome, potentially indicating compromised credentials, session hijacking, or unauthorized device usage.

This analytic identifies instances of Cisco Duo administrators logging in using a web browser other than Chrome. The assumption is that most administrators within an organization consistently use Chrome, making other browsers anomalous. This detection is based on Cisco Duo activity logs ingested via the Cisco Security Cloud App. The activity logs are filtered for admin login events where the browser used is not Chrome. Detecting deviations from expected administrative access patterns can highlight potential security breaches such as credential compromise, session hijacking, or unauthorized device access. The scope of targeting is organizations using Cisco Duo for multi-factor authentication.

Attack Chain

  1. An attacker gains unauthorized access to a Duo administrator's credentials through phishing, malware, or social engineering.
  2. The attacker leverages the stolen credentials to initiate a login attempt to the Duo admin panel.
  3. The attacker uses a non-standard browser (e.g., Firefox, Safari, Edge) to access the Duo admin login page.
  4. Duo activity logs record the admin login attempt, including the browser type, IP address, and geolocation data.
  5. The Splunk analytic identifies the login attempt as anomalous because the browser is not Chrome.
  6. Security analysts investigate the alert and confirm unauthorized access.
  7. The attacker makes unauthorized changes to security policies, user access, or disables security controls within the Duo admin panel.

Impact

A successful attack could result in unauthorized modifications to security policies, user access, or the disabling of critical security controls. This can substantially weaken the organization's security posture, potentially leading to broader system compromises, data breaches, and service disruptions. The impact could range from targeted account takeovers to widespread privilege escalation affecting all users protected by Duo.

Recommendation

  • Deploy the Sigma rule Cisco Duo Admin Login Unusual Browser to your SIEM to detect unusual browser usage for admin logins and tune for your specific environment.
  • Investigate any alerts generated by the Sigma rule Cisco Duo Admin Login Unusual Browser promptly to determine the legitimacy of the login attempt.
  • Review and reinforce security awareness training to prevent credential theft through phishing or other social engineering attacks.
  • Monitor the Duo activity logs for other suspicious activities, such as logins from unusual locations or at unusual times.
  • Ensure that the Cisco Security Cloud App is properly configured and ingesting Duo activity logs as described in the reference URL.

Detection coverage 2

Cisco Duo Admin Login Unusual Browser

medium

Detects Cisco Duo admin logins from browsers other than Chrome.

sigma tactics: credential_access techniques: T1556 sources: webserver, linux

Cisco Duo Admin Login from Unusual OS

low

Detects Cisco Duo admin logins from an operating system other than Windows or MacOS.

sigma tactics: credential_access techniques: T1556 sources: webserver, linux

Detection queries are available on the platform. Get full rules →