Detectionmediumtest

Cisco Duo Successful MFA Authentication Via Bypass Code

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nikita KhalimonenkovCreated Wed Apr 176f7e1c10-2dc9-4312-adb6-9574ff09a5c8identity

Log Source

Ciscoduo

ProductCisco← raw: cisco

Serviceduo← raw: duo

Detection Logic

detection:
    selection:
        event_type: authentication
        reason: bypass_user
    condition: selection

False Positives

Legitimate user that was assigned on purpose to a bypass group

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access TA0005 · Defense Evasion TA0001 · Initial Access

Rule Metadata

Rule ID

6f7e1c10-2dc9-4312-adb6-9574ff09a5c8

Status

test

Level

medium

Type

Detection

Created

Wed Apr 17

Author

Nikita Khalimonenkov

Path

rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml

Raw Tags

attack.credential-accessattack.defense-evasionattack.initial-access

View on GitHub