Saturday, January 18, 2025
HomeAzureMicrosoft Details On Using KQL To Hunt For MFA Manipulations

Microsoft Details On Using KQL To Hunt For MFA Manipulations

Published on

SIEM as a Service

Follow Us on Google News

It is difficult to secure cloud accounts from threat actors who exploit multi-factor authentication (MFA) settings.

Threat actors usually alter compromised users’ MFA attributes by bypassing the requirements, disabling MFA for others, or enrolling rogue devices in the system.

They do so stealthily, mirroring helpdesk operations and making it hard to notice the noise of directory audit logs.

To protect themselves against this insidious attack vector on clouds, organizations need to strengthen monitoring and controls around MFA configuration changes.

Cybersecurity researchers at Microsoft recently detailed using the KQL (Kusto Query Language) to hunt for MFA manipulation.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

KQL Hunt For MFA Manipulations

Microsoft Entra audit logs record MFA setting changes, creating two entries: one with a descriptive activity name but lacking details and another “Update User” event showing modified properties in between much noise. 

Analyzing these in the Entra portal is difficult due to data volume, especially for large tenants. However, Kusto Query Language (KQL) can simplify this task. 

The cybersecurity analysts provided ready-to-use KQL queries for Azure Log Analytics and Microsoft Defender 365 Advanced Hunting to help analyze and detect MFA configuration changes in your own tenant.

Data flow of logs related to account manipulation (Source – Microsoft)

This allows enhanced monitoring even if audit logs are only retained for 30 days by default.

There are 3 MFA properties, and here below we have mentioned them:-

  • StrongAuthenticationMethod
  • StrongAuthenticationUserDetails
  • StrongAuthenticationAppDetail

The aim is to detect alterations in a user’s registered MFA and default methods.

Researchers used KQL to filter out entries from the logs that may have timestamps, actors, and targets alongside their changed, old, and new values. Rows are generated for multiple changed properties.

The results indicate modified MFA settings by certain users, the people who altered them, and where further investigation should concentrate.

Security analysts compare OldValue and NewValue to detect changes in MFA details like added or modified emails and phone numbers. The output shows examples that may or may not be expected. 

To hunt manipulations, they extend the query to look for MFA details added across multiple users within a timeframe, surfacing potentially rogue email addresses or phone numbers provisioned altogether. 

They can also monitor for users switching phone numbers to a different country code by checking if the first 3 characters changed between old and new values. 

These queries allow for identifying suspicious MFA configuration changes at scale.

DeviceName and DeviceToken identify devices registered for Authenticator App logins. Contrasting the OldValue and NewValue shows when users add or remove the devices. 

Checking DeviceToken across users detects if one device is registered across multiple accounts, potentially indicating compromised accounts used by an attacker to persist multi-factor access. 

While sometimes done by IT admins, reusing devices across accounts is generally insecure unless both belong to the same user.

As multi-factor authentication (MFA) becomes more widespread, attackers increasingly focus on MFA for initial access obtained through token hijacking or stealing and social engineering attacks.

Account authentication methods are frequently changed after a first compromise.

Knowing about Microsoft Entra Audit Logs of MFA modification events will help detect any suspicious activities related to MFA, such as illegal scenarios, across your organization, leading to quick investigation and remediation.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....