| ID | Technique | Tactic |
|---|---|---|
| T1556 | Modify Authentication Process | Credential Access |
Detection: Cisco Duo Policy Bypass 2FA
Description
The following analytic detects instances where a Duo policy is created or updated to allow access without two-factor authentication (2FA). It identifies this behavior by searching Duo administrator activity logs for policy changes that set the authentication status to "Allow access without 2FA." By monitoring for these specific actions, the analytic highlights potential attempts to weaken authentication controls, which could be indicative of malicious activity or insider threats. This behavior is critical for a SOC to identify, as bypassing 2FA significantly reduces the security posture of an organization, making it easier for attackers to gain unauthorized access to sensitive systems and data. Detecting and responding to such policy changes promptly helps prevent potential account compromise and mitigates the risk of broader security breaches.
Search
1`cisco_duo_administrator` action=policy_update OR action=policy_create
2| spath input=description
3| search auth_status="Allow access without 2FA"
4| rename object as user
5| stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email
6| `security_content_ctime(firstTime)`
7| `security_content_ctime(lastTime)`
8| `cisco_duo_policy_bypass_2fa_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Duo Administrator | N/A | 'cisco:duo:administrator' |
'cisco_duo' |
Macros Used
| Name | Value |
|---|---|
| cisco_duo_administrator | sourcetype=cisco:duo:administrator |
| cisco_duo_policy_bypass_2fa_filter | search * |
cisco_duo_policy_bypass_2fa_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
The analytic leverages Duo activity logs to be ingested using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404).
Known False Positives
unknown
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A policy has been created or updated to allow access without 2FA by user $user$ with email $admin_email$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 48 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | duo |
cisco:duo:administrator |
| Integration | ✅ Passing | Dataset | duo |
cisco:duo:administrator |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1