Securing cloud accounts from threat actors who exploit multi-factor authentication (MFA) settings is an ongoing challenge for organizations globally. These threat actors are adept at altering compromised users’ MFA attributes by bypassing requirements, disabling MFA for others, or enrolling rogue devices in the system. Their operations are carried out stealthily, often mirroring legitimate helpdesk operations to evade detection and making it hard to identify the noise of directory audit logs.
To safeguard against this insidious attack vector on cloud environments, organizations must bolster their monitoring and controls around MFA configuration changes. In a recent development, cybersecurity researchers at Microsoft have shed light on the use of KQL (Kusto Query Language) to detect and hunt for MFA manipulations.
Microsoft’s Entra audit logs document changes in MFA settings, generating two entries: one with a descriptive activity name that lacks detailed information, and another “Update User” event that shows modified properties amidst a sea of extraneous data. Analyzing these logs within the Entra portal can be challenging due to the sheer volume of data, particularly for larger tenants. However, leveraging the Kusto Query Language (KQL) can streamline this process.
Cybersecurity analysts at Microsoft have shared pre-built KQL queries for Azure Log Analytics and Microsoft Defender 365 Advanced Hunting to assist in the analysis and detection of MFA configuration changes within one’s own tenant. By utilizing these queries, organizations can enhance their monitoring capabilities even if audit logs are only retained for a limited period, typically 30 days by default.
There are three key MFA properties – StrongAuthenticationMethod, StrongAuthenticationUserDetails, and StrongAuthenticationAppDetail – that should be monitored for alterations in a user’s registered MFA and default methods. By employing KQL to filter log entries based on timestamps, actors, targets, and changed, old, and new values, security analysts can identify modified MFA settings, potential anomalies, and areas requiring further investigation.
Furthermore, researchers have extended the KQL query to detect changes in MFA details like added or modified emails and phone numbers across multiple users within a specific timeframe. By scrutinizing DeviceName and DeviceToken to identify devices registered for Authenticator App logins, security analysts can pinpoint suspicious MFA configuration changes at scale.
As the adoption of multi-factor authentication (MFA) continues to grow, threat actors are increasingly targeting MFA for initial access through tactics like token hijacking, social engineering attacks, and token stealing. Monitoring MFA configuration changes through Microsoft Entra Audit Logs can help organizations swiftly detect any malicious activities related to MFA across their infrastructure, leading to prompt investigation and mitigation.
In conclusion, staying vigilant against evolving threats to cloud security, particularly those targeting MFA settings, is imperative for organizations to protect their sensitive data and maintain the integrity of their systems. Leveraging advanced tools like KQL and closely monitoring MFA configuration changes can significantly enhance an organization’s cyber resilience and readiness to combat malicious actors in the cloud environment.