Detectionhightest
Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Azuresigninlogs
ProductAzure← raw: azure
Servicesigninlogs← raw: signinlogs
Detection Logic
Detection Logic1 selector
detection:
selection:
Status: 'Success'
userAgent|contains:
- 'BAV2ROPC'
- 'CBAinPROD'
- 'CBAinTAR'
condition: selectionFalse Positives
Known Legacy Accounts
MITRE ATT&CK
Rule Metadata
Rule ID
53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
Status
test
Level
high
Type
Detection
Created
Mon Mar 20
Author
Path
rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.credential-accessattack.t1078.004attack.t1110