Potential MFA Bypass Using Legacy Client Authentication

Rule Info

Name
Potential MFA Bypass Using Legacy Client Authentication
Author
Harjot Singh, '@cyb3rjy0t'
Description
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Reference
https://blooteem.com/march-2022
Date
2023-03-20 00:00:00
Modified
None
Id
53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
Tags
attack.initial_access attack.credential_access attack.t1078.004 attack.t1110 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4700 from @nasbench - Promote older rules status from `experimental` to `test`
2024-02-01
367ebd939
Nasreddine Bencherchali
Merge PR #4476 from @nasbench - re-organize cloud folder and other things
2023-10-12
7364ce00b
phantinuss
fix: wording
2023-03-21
98ab4bcd6
Nasreddine Bencherchali
fix: apply suggestions from code review
2023-03-20
b253e8caf
phantinuss
fix: file extension (3)
2023-03-20
d6b91a9ab
phantinuss
fix: file extension (2)
2023-03-20
23fc8e1d0
phantinuss
fix: missing file extention
2023-03-20
f53e9676b
cyb3rjy0t
azure_ad_suspicious_signin_bypassingMFA
2023-03-20
14eea4ebc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022