Okta User Session Start Via An Anonymising Proxy Service

Sep 11, 2023 · attack.defense_evasion attack.t1562.006 ·

Detects when an Okta user session starts where the user is behind an anonymising proxy service.

Sigma rule (View on GitHub)

 1title: Okta User Session Start Via An Anonymising Proxy Service
 2id: bde30855-5c53-4c18-ae90-1ff79ebc9578
 3status: experimental
 4description: Detects when an Okta user session starts where the user is behind an anonymising proxy service.
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
 8author: kelnage
 9date: 2023/09/07
10tags:
11    - attack.defense_evasion
12    - attack.t1562.006
13logsource:
14    product: okta
15    service: okta
16detection:
17    selection:
18        eventtype: 'user.session.start'
19        securitycontext.isproxy: 'true'
20    condition: selection
21falsepositives:
22    - If a user requires an anonymising proxy due to valid justifications.
23level: high

References

System Log | Okta Developer

Secure, scalable, and highly available authentication and user management for any app.

Read More
Cross-Tenant Impersonation: Prevention and Detection

Summary Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant). When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion. These methods are preventable and present several detection opportunities for defenders. In recent weeks, multiple US-based Okta customers have reported a consistent pattern of so

Read More

Okta User Session Start Via An Anonymising Proxy Service

Sigma rule (View on GitHub)

References

System Log | Okta Developer

Cross-Tenant Impersonation: Prevention and Detection

Related rules