How to capture MFA bypass techniques

[planglois925]

Currently there isn't a good way of capturing MFA bypass, in which there is a secondary action that is leveraged to bypass MFA.

Here are the types of attacks that are known:

1. Auth approving spamming (spam the user until they accept the auth)
2. Steal cookies (local host) - Password stealers like redline can steal both credential and active cookies that can be used to bypass MFA)
3. Steal cookies (website) - Attackers can collect the second factor through a typical phishing site
4. SMS Hijack - through SIM swapping the attacker can steal the second factor that is sent via SMS
5. Brute-force second factor
6. Direct Social engineering (To confirm your account, can you provide the validation code)
7. Malicious app on phone intercepting MFA code

Potentially out of scope

1. Misconfigured services - while the organization may have implemented MFA, they may have left certain services to not need it
2. Unactivated MFA accounts - organization has set up MFA, but the compromised user hadn't set it up

[planglois925]

Options to capture social engineering MFA prompt exhaustion:

• Action.social.variety.MFA bombing
• Action.social.variety.Brute force (consistently pestering the individual until they take an action, such as Prompt bombing) -Action.social.variety.Prompt bombing [https://arcticwolf.com/resources/blog/prompt-bomb-uber-hack/]

_philnote: if we use the same term for this as hacking.brute forcing and malware brute force, they'll get aggregated together, even tho they are conceptually different from a protection stand point)

2,3,7 Phishing site + malware password dumper are probably fine to capture using existing social varieties and malware. From a defensive perspective, it makes sense to group these together since they are defended in the same way.

SMS Hijacking (MFA Intercept)

• action.hacking.variety.MFA intercept (capturing the secondary factor while in transit such as SMS hijacking)

• action.hacking.variety.SIM card reassignment

• action.hacking.variety.SIM Hijacking

• action.hacking.variety.SMS Hijacking

• action.hacking.vector.Other

[gdbassett]

Is SIM an asset? Is MFA a type of data?

Intercept may be a good but not interactive (confidentiality loss) Hijack (Attacker gains the ability to act as the victim and denies it to the victim)

Add: SIM asset (media? physical?) hijack action (which categories - hacking) Social brute force Multiple Authentication Factor data variety (any credential or other authentication factor in addition to the first)

Coding_style:

• intercept actions should be coded as a confidentiality loss of a MFA data variety
• transfer an accounts active sim to an attacker controlled device so they can receive the 2nd factor: asset: SIM, data.variety MFA, action hijacking. Likely preceded by a social action.
• spamming MFA requests: social.brute force. No data.variety.MFA, but integrity.change behavior.