Full Report
For the third topic for Talos' 2024 Year in Review, we tell the story of how identity has become the pivot point for adversarial campaigns.
Analysis Summary
The provided article context focuses on a summary of cybersecurity trends observed in 2024 ("Year in Review") specifically concerning **Attacks on identity and Multi-Factor Authentication (MFA)**. The document itself is a high-level overview, mentioning themes and techniques rather than detailing specific, unique malware families or proprietary tools with actionable Indicators of Compromise (IoCs) like file hashes.
The summary below reflects the *techniques and procedures* emphasized in the context provided.
# Tool/Technique: Credential Abuse and MFA Bypasses (2024 Identity Attacks)
## Overview
This encompasses various adversarial techniques centered around exploiting valid user credentials and circumventing Multi-Factor Authentication (MFA) protections, which constituted the primary initial access vector for many identity-focused campaigns during the year reviewed (2024).
## Technical Details
- Type: Technique
- Platform: Windows (via Active Directory exploitation), General Web Applications
- Capabilities: Initial access via stolen credentials, persistence, lateral movement, circumvention of security controls.
- First Seen: Ongoing/Evolving (Specific to 2024 trends summary)
## MITRE ATT&CK Mapping
The context directly implies activities related to initial access, credential management, and defense evasion specific to identity systems.
- **TA0001 - Initial Access**
- T1078 - Valid Accounts
- T1078.003 - Local Accounts (Implied, if standard accounts are escalated)
- T1078.004 - Cloud Accounts (Likely, given modern identity focus)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Implied precursor to credential abuse)
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses (Related to policy misconfiguration exploitation)
*Note: Specific MFA bypass techniques map strongly to Defense Evasion/Credential Access.*
## Functionality
### Core Capabilities
- **Credential Theft/Abuse:** Using valid account details as the number one method of initial entry.
- **Poking at Active Directory (AD):** Nearly half of identity attacks involved interactions or exploitation attempts targeting Active Directory environments.
### Advanced Features
- **MFA Workarounds:** Specific techniques used to bypass MFA protections successfully.
- **Push Fatigue:** Repeatedly sending legitimate MFA push notifications until the user accepts them out of annoyance or mistake.
- **Password Spraying:** Attempting common passwords against many user accounts to find weak combinations that bypass MFA (often used when MFA is not universally enrolled or configured poorly).
- **Exploitation of Misconfigurations:** Leveraging weak MFA enrollment policies or improperly configured MFA settings.
## Indicators of Compromise
*The high-level summary text does not provide specific IoCs (Hashes, IPs, specific domains). The focus is on observed behaviors.*
- File Hashes: N/A (Not detailed in context)
- File Names: N/A (Not detailed in context)
- Registry Keys: N/A (Not detailed in context)
- Network Indicators: N/A (All indicators would be tied to the specific malware/tools used *after* initial access, which are not listed here.)
- Behavioral Indicators: High volume of failed login attempts across user accounts (Password Spraying), unexpected or repetitive MFA prompts (Push Fatigue), and post-authentication lateral movement within the directory structure.
## Associated Threat Actors
- Threat actors employing modern, identity-focused campaigns (General observation from the 2024 Year in Review context).
## Detection Methods
- **Signature-based detection:** Limited utility against credential abuse/spraying unless leveraging known malicious IPs or TTP fingerprints.
- **Behavioral detection:** Essential for detecting high-volume password spraying (rate limiting), anomalous login locations, and responding to user reports of MFA fatigue attacks. Monitoring directory service events (e.g., AD queries).
- **YARA rules:** N/A (Not detailed in context)
## Mitigation Strategies
- **Prevention measures:** Strict enforcement of strong, unique passwords. Implementing robust MFA controls across all critical services.
- **Hardening recommendations:**
1. Eliminate MFA enrollment gaps (ensure 100% coverage).
2. Implement monitoring and alerting for MFA prompt fatigue attempts.
3. Review and eliminate weak or easily guessable passwords via policy, especially against password spraying attempts.
4. Limit legacy authentication protocols where MFA cannot be enforced.
5. Harden Active Directory posture to limit the impact of post-authentication activity.
## Related Tools/Techniques
Specific tools are not detailed, but the associated infrastructure manipulation suggests tools used for AD interaction, privilege escalation, and C2 that benefit from valid accounts (e.g., Rubeus, BloodHound post-compromise, or native tools like PowerShell/WMI).