GCP Authentication Failure During MFA Challenge
Detection of failed MFA challenges in Google Cloud Platform (GCP) using Google Workspace login failure events, potentially indicating credential compromise and unauthorized access attempts.
This analytic identifies failed authentication attempts during Multi-Factor Authentication (MFA) challenges within a Google Cloud Platform (GCP) environment. It leverages Google Workspace login failure events to detect instances where MFA methods were challenged but not successfully completed. The detection is based on Google Workspace login failure events where MFA methods were challenged. This activity could signify an adversary attempting to gain unauthorized access to an account using compromised credentials, even with MFA enabled. Successful exploitation could lead to data breaches, resource hijacking, or other malicious activities within the targeted GCP environment. The Splunk Add-on for Google Workspace (app ID 5556) is required for data ingestion.
Attack Chain
- The attacker obtains valid or partially valid credentials through phishing (T1566), credential stuffing, or purchasing them from the dark web.
- The attacker attempts to log in to a GCP account using the obtained credentials (T1078.004).
- GCP's login process identifies the need for MFA and issues a login challenge using a configured method.
- The attacker fails to complete the MFA challenge, indicating they do not possess the correct MFA token or cannot respond correctly (T1621).
- Multiple failed MFA attempts may occur from the same IP address or user account.
- If the attacker eventually succeeds in bypassing MFA (e.g., through a vulnerability or social engineering), they gain unauthorized access to the GCP environment.
- Once inside, the attacker can perform reconnaissance, escalate privileges, and access sensitive data.
- The attacker exfiltrates data or deploys malicious resources within the GCP environment, causing damage or disruption.
Impact
A successful attack can lead to unauthorized access to sensitive data and resources within the GCP environment. This could result in data breaches, financial loss, reputational damage, and disruption of services. The severity depends on the compromised account's permissions and the attacker's objectives within the GCP environment.
Recommendation
- Deploy the Sigma rule
GCP Authentication Failed During MFA Challengeto your SIEM and tune the threshold based on your environment's baseline for failed MFA attempts. - Investigate any alerts generated by the
GCP Authentication Failed During MFA Challengerule to determine if the failed MFA attempts are legitimate or indicative of malicious activity. - Monitor login events for unusual patterns, such as multiple failed MFA attempts from the same IP address or user account.
- Ensure all users have strong, unique passwords and are enrolled in MFA.
- Review and enforce Conditional Access policies to restrict access based on location, device, and other factors.
- Install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) to collect the required Google Workspace login events.
Detection coverage 2
GCP Authentication Failed During MFA Challenge
mediumDetects failed MFA challenges during GCP authentication attempts, indicating potential credential compromise.
GCP Unusual Failed MFA Challenge by Source IP
highDetects multiple failed MFA challenges from a single source IP address, indicating potential brute-force attempts.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
url
| Type | Value |
|---|---|
| url | https://splunkbase.splunk.com/app/5556 |