Merge pull request #932 from nterl0k/nterl0k-t1110-mfasweep-events

patel-bhavin · web-flow · commit 5b2216f83827 · 2025-01-14T11:14:49.000-08:00
Nterl0k - T1110 mfasweep events
diff --git a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ac689b65ab72fc6bad434ebebba4f42c2c2a846c915225829d2914010f9d9ad0
+size 12480
diff --git a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml
@@ -0,0 +1,14 @@
+author: Steven Dick
+id: 27ba7e07-280e-4890-9b31-f2060d86f4c6
+date: '2024-12-19'
+description: 'Sample of MFA Sweep events used to enumerate Azure/Entra/o365 MFA weaknesses.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log
+sourcetypes:
+- o365:management:activity
+references:
+- https://attack.mitre.org/techniques/T1110
+- https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/
+- https://sra.io/blog/msspray-wait-how-many-endpoints-dont-have-mfa/
+- https://github.com/dafthack/MFASweep/tree/master

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:ac689b65ab72fc6bad434ebebba4f42c2c2a846c915225829d2914010f9d9ad0`
	`3`	`+size 12480`