Cisco Duo Admin Login from Unusual Operating System
Detection of Cisco Duo admin login attempts originating from operating systems not typically used in the environment, potentially indicating account compromise or unauthorized access.
This analytic focuses on identifying unusual administrative login activity within Cisco Duo environments. By monitoring Duo activity logs, it flags login attempts from operating systems that deviate from the norm, excluding common platforms like Mac OS X. The goal is to detect potential credential compromise or unauthorized access by threat actors utilizing unfamiliar devices. This method analyzes admin login actions, filters out logins from expected operating systems, aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. The detection logic specifically looks for deviations from established patterns of administrative access, enabling security operations to quickly identify and respond to potentially malicious activities. This analytic uses data ingested via the Cisco Security Cloud App.
Attack Chain
- Initial Access: The attacker gains access to a valid Duo admin username and password, potentially through phishing, credential stuffing, or other means.
- Authentication Request: The attacker attempts to log in to the Duo admin panel using the compromised credentials.
- Duo Authentication: Duo prompts the attacker for secondary authentication (e.g., push notification, passcode).
- Bypass/Compromise MFA: The attacker bypasses or compromises the MFA mechanism, possibly through social engineering, SIM swapping, or exploiting vulnerabilities.
- Admin Login: The attacker successfully logs in to the Duo admin panel from an operating system not typically used by legitimate administrators.
- Privilege Escalation: Once logged in, the attacker might attempt to escalate privileges or modify user permissions.
- Policy Changes: The attacker could modify Duo policies to weaken security controls or bypass MFA requirements for other users.
- Lateral Movement: The attacker uses their access to pivot to other systems or applications integrated with Duo.
Impact
A successful attack could lead to unauthorized access to sensitive Duo configurations, potentially affecting the security of all applications and users protected by Duo. This can lead to widespread compromise, data breaches, and disruption of services. If an attacker successfully compromises a Duo admin account, they could disable MFA for targeted users, add new unauthorized users, or modify security policies to weaken the overall security posture.
Recommendation
- Deploy the following Sigma rule to detect Duo admin logins from unusual operating systems and tune it for your specific environment.
- Investigate any alerts generated by the Sigma rule to determine the legitimacy of the login attempts.
- Monitor Cisco Duo activity logs for any suspicious changes to user accounts, policies, or authentication methods using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
- Implement strong MFA policies and educate users about phishing and social engineering attacks.
- Review and update Duo admin access controls to ensure only authorized personnel have access to administrative functions.
Detection coverage 2
Cisco Duo Admin Login from Unusual OS
highDetects Duo admin logins from operating systems not typically used in the environment.
Cisco Duo Admin Login with Unusual Browser
mediumDetects Duo admin logins from browser not typically used in the environment.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
url
| Type | Value |
|---|---|
| url | https://splunkbase.splunk.com/app/7404 |
| url | https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json |