Lateral movement
Azure AD Suspicious Factor Registration
Detection overview
The "Azure AD Suspicious Factor Registration" detection alerts security teams to the registration of a potentially unauthorized authentication factor, such as multi-factor authentication (MFA), to an account in Azure Active Directory. This detection indicates the possibility of an attacker attempting to retain persistent access by adding a new authentication method, which could bypass conventional security controls.
Triggers
- A suspicious new authentication factor has been registered to an account which may provide an attacker with persistent access to your tenant.
Possible Root Causes
- An attacker may have compromised an account and registered a new authentication method (such as an MFA method) in the environment to maintain continuous access. By registering a new authentication method, the attacker’s ongoing access may be extended beyond the method of initial compromise.
- A legitimate user may have added a new authentication method under circumstances that were unexpected for the environment.
- Note: The specific authentication method itself may be typical for the environment.
Business Impact
- An attacker who registers an authentication factor could bypass policies related to login requirements and access, enabling persistent access to cloud and potentially network data.
Steps to Verify
- Review whether the location of the registration aligns with the user’s expected activity.
- Consult the available logs to determine if the activity prior to the registration is as expected. • Reach out to the account owner to confirm that they registered the factor.
Azure AD Suspicious Factor Registration
Possible root causes
Malicious Detection
Attackers who have gained control of an account may add new authentication factors, such as a secondary MFA method, to maintain persistent access to the environment. This additional factor serves as an alternative means of entry, allowing the attacker to circumvent account restrictions or remain undetected despite changes to the primary account credentials.
Benign Detection
Legitimate users may sometimes register a new authentication method, such as updating or adding an MFA device. This can occur when a user changes devices or adjusts their authentication preferences, which could appear suspicious if it deviates from typical registration patterns within the organization.
Azure AD Suspicious Factor Registration
Example scenarios
1. Suspicious off-hours registration
An attacker who compromises an account registers a new MFA factor during off-hours, hoping it will go undetected, and plans to use it for persistent access.
2. Unusual device for MFA registration
A factor is registered from an unrecognized device that does not align with the user’s usual equipment, raising suspicion of unauthorized access.
Azure AD Suspicious Factor Registration
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Increased risk of unauthorized access
Attackers could bypass access restrictions, maintaining undetected access with the use of an unauthorized authentication factor.
Potential data exposure
Persistent access to Azure AD through a secondary factor may allow attackers to exfiltrate or manipulate sensitive data.
Regulatory compliance risk
Unauthorized access due to a fraudulent authentication factor could expose the organization to compliance violations by enabling access to restricted systems.
Azure AD Suspicious Factor Registration
Steps to investigate
Review authentication factor registration details
Examine the location, timing, and type of authentication factor registered for any inconsistencies with expected behavior.
Analyze prior account activities
Review recent authentication and activity logs for any suspicious patterns preceding the registration.
Contact the account owner
Confirm directly with the account holder if they initiated the registration of the new factor.
Monitor for anomalous access patterns
Track future access events to ensure no further suspicious activities are associated with the new authentication factor.
Azure AD Suspicious Factor Registration
MITRE ATT&CK techniques covered
Azure AD Suspicious Factor Registration
Related detections
FAQs
What makes an authentication factor suspicious?
Unusual timing, location, or device type for the factor registration can indicate a suspicious factor.
Why is adding an MFA method a potential risk?
It may allow attackers who have compromised an account to maintain access without detection by leveraging a secondary factor.
What should I do if this detection is triggered?
First, verify the registration details with the account owner and review associated activity logs for further anomalies.
Is the account necessarily compromised if this is triggered?
Not always; sometimes a legitimate user action may trigger this detection, but it’s critical to investigate thoroughly.
How can I confirm if the registration was legitimate?
Reviewing the registration’s origin, time, and associated device, along with confirming with the user, can help determine legitimacy.
Could a legitimate IT action trigger this?
Yes, in cases where IT registers factors on behalf of users, though this should follow strict change control procedures.
What is the risk of not investigating this detection?
Failing to investigate could allow attackers to retain undetected access, leading to potential data breaches or system disruptions.
Can attackers add factors through phishing?
Yes, attackers often use phishing to acquire initial access, which they can then expand by adding authentication factors.
Is it advisable to disable the newly registered factor immediately?
Not until verifying legitimacy, as disabling legitimate user access without verification could disrupt business activities.
Are there other detections linked to account persistence?
Other detections include suspicious sign-ons, unusual device registrations, and MFA failures that might accompany this behavior.