security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/hunting/okta/docs/credential_access_mfa_bombing_push_notications.md
T
Terrance DeJesus 50e23ba242 [Hunting] Re-factor Hunting Library Code (#4085) 
* updating python code for hunting library

* fixed okta queries; added MITRE search capability

* fixed hunting unit test imports

* fixed duplicate UUID; fixed duplicate index entry bug

* fixed technique finding sub-technique in search

* added more unit tests

* linted

* flake errors addressed; fixed unit test import; fixed markdown generate bug

* added description for generate-markdown command

* updated README

* adjusted YAML index, adjusted code for index changes

* adjusted relative imports; updated CODEOWNERS

* adding updates; moving to different branch for main dependencies

* finished run-query command; made some code adjustments

* removed some comments

* revised makefile; fixed unit tests; adjusted detection rules pyproject

* updated README

* updated README

* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands

* adjusted package to be more object-oriented

* removed unused variable

* Add simple breakdown stats

* addressed feedback; added keyword option for search

* Update hunting/README.md

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/etc/test_hunting_cli.bash

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* addressing feedback

* addressed feedback

* added message for unknown index; fixed function call

* fixed search command

* fixed flake error

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
2024-10-03 12:47:40 -04:00

1.7 KiB
Raw Blame History

Rapid MFA Deny Push Notifications (MFA Bombing)

Metadata

  • Author: Elastic

  • Description: This hunting query identifies MFA bombing attacks in Okta. Adversaries may attempt to flood a user with multiple MFA push notifications to disrupt operations or gain unauthorized access to accounts. This query identifies when a user has more than 5 MFA deny push notifications in a 10 minute window.

  • UUID: 223451b0-6eca-11ef-a070-f661ea17fbcc

  • Integration: okta

  • Language: [ES|QL]

  • Source File: Rapid MFA Deny Push Notifications (MFA Bombing)

Query

from logs-okta*
| where @timestamp > NOW() - 7 day

// Truncate the timestamp to 10 minute windows
| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)

// Filter for MFA deny push notifications
| where event.action == "user.mfa.okta_verify.deny_push"

// Count the number of MFA deny push notifications for each user in each 10 minute window
| stats deny_push_count = count(*) by target_time_window, okta.actor.alternate_id

// Filter for users with more than 5 MFA deny push notifications
| where deny_push_count >= 5

Notes

  • okta.actor.alternate_id is the targeted user account.
  • Pivot and search for event.action is user.authentication.auth_via_mfa to determine if the target user accepted the MFA push notification.
  • If a MFA bombing attack is suspected, both username and password are required prior to MFA push notifications. Thus the credentials are likely compromised.

MITRE ATT&CK Techniques

License

  • Elastic License v2
Reference in New Issue View Git Blame Copy Permalink