/
gcp_multi_factor_authentication_disabled.yml
65 lines (65 loc) · 2.34 KB
/
gcp_multi_factor_authentication_disabled.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
name: GCP Multi-Factor Authentication Disabled
id: b9bc5513-6fc1-4821-85a3-e1d81e451c83
version: 2
date: '2024-01-04'
author: Bhavin Patel, Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic identifies an attempt to disable multi-factor
authentication for a GCP user. An adversary who has obtained access to an GCP tenant
may disable multi-factor authentication as a way to plant a backdoor and maintain
persistence using a valid account. This way the attackers can keep persistance in
the environment without adding new users.
data_source:
- Google Workspace
search: '`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter`'
how_to_implement: You must install the latest version of Splunk Add-on for Google
Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows
Splunk administrators to collect Google Workspace event data in Splunk using Google
Workspace APIs. Specifically, this analytic leverages the Admin log events.
known_false_positives: Legitimate use case may require for users to disable MFA. Filter
as needed.
references:
- https://support.google.com/cloudidentity/answer/2537800?hl=en
- https://attack.mitre.org/tactics/TA0005/
- https://attack.mitre.org/techniques/T1556/
tags:
analytic_story:
- GCP Account Takeover
asset_type: GCP
confidence: 90
impact: 50
message: MFA disabled for User $user$ initiated by $actor.email$
mitre_attack_id:
- T1586
- T1586.003
- T1556
- T1556.006
observable:
- name: user
type: User
role:
- Victim
- name: actor.email
type: User
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- actor.email
- user
- command
- status
risk_score: 45
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log
source: gws:reports:admin
sourcetype: gws:reports:admin
update_timestamp: true