Potential Abuse of Repeated MFA Push Notifications

calendarApr 3, 2023  ·
Share on: linkedincopy

Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/01/05"
 3integration = ["okta"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/31"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the
13user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured
14for an organization to obtain unauthorized access.
15"""
16index = ["filebeat-*", "logs-okta*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Abuse of Repeated MFA Push Notifications"
20note = """## Setup
21
22The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = [
24    "https://www.mandiant.com/resources/russian-targeting-gov-business",
25    "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
26]
27risk_score = 73
28rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7"
29severity = "high"
30tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"]
31type = "eql"
32
33query = '''
34sequence by user.email with maxspan=10m
35  [any where event.dataset == "okta.system" and event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"]
36  [any where event.dataset == "okta.system" and event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"]
37  [any where event.dataset == "okta.system" and event.module == "okta" and event.action == "user.authentication.sso"]
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1110"
45name = "Brute Force"
46reference = "https://attack.mitre.org/techniques/T1110/"
47
48
49[rule.threat.tactic]
50id = "TA0006"
51name = "Credential Access"
52reference = "https://attack.mitre.org/tactics/TA0006/"

Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

to-top