How to bypass MFA in Azure and O365: part 3
Mitigation
This is the third and last part of our series about how to bypass MFA in Azure and O365. In this article, we share our advice on how you defend your organization against the attacks we described in parts 1 and 2.
In the previous blog articles we describe some advanced attack techniques. Most of the breaches our clients are confronted with are the effect of poor password management or lack thereof. To prevent breaches like this, you need strong passwords and multifactor authentication. Consider this your first priority. Then add to your security architecture by implementing Conditional Access policies to secure how your users and admins authenticate to Azure. When you have this covered, it’s time to start thinking about mitigating the more advanced attacks we described in this blog series.
Defense
Find the most common defense solutions against MFA attacks in this list:
1. Do not grant users local administrator access. The misuse of administrative privileges is a key method used by attackers to gain unauthorized access to company assets and data. In fact, misuse of administrative privileges is such an important issue that the Center for Internet Security, in their latest release of the Critical Security Controls, moved it from 12th to 6th in the ranking of priorities organizations should address.
2. Always monitor Azure AD sign-logs. Monitor how your resources are being used and receive alerting when suspicious behavior is detected. When a non-administrator account is using PowerShell modules to connect to your environment, this must be signaled as suspicious. This can be done with Azure Identity protection.
3. Limit access from personal devices. Reduce the attack surface by limiting the access users have from personal devices to your company cloud environment. These are devices that are not managed by IT with limited or no security controls active,. Some companies choose to totally block access from unmanaged devices or limit it only to browser access with very short session control (1h).
4. Windows 10 hardening is recommended. Windows 10 has some built in security controls like attack surface reduction rules which can block the access to LSASS.exe. We suggest running the ASR rule first in audit mode, which can be monitored by M365 Defender.
5. Make sure that your Antivirus software clients are healthy and up to date as expected. For Windows defender we suggest enabling ‘tamper protection’. Running a healthy AV makes it more difficult to run Mimikatz to obtain the PRT and the keys needed.
6. Start using an Endpoint detection and response solution. Options like Microsoft Defender for Endpoint are even more better. We tested the Pass-the-PRT technique on a device which was monitored by Defender for Endpoint and both attack techniques will be detected and trigger an automatic investigation of this suspicious activity on the endpoint.
Response
If a device is compromised, it is important to disable it in Azure AD and re-provision it. This will make sure the primary refresh token is be invalid. Aside from forcing the user to change their password, make sure to revoke the refresh tokens. This can be accomplished with PowerShell. Doing this will make sure that any existing refresh tokens can no longer be used by an attacker. Keep in mind that there still will be an access token active which as a default lifetime of 1 hour before it needs to be refreshed.
Do you have questions about this topic? Or would like to have a chat about implementing the best practice of security measures in your organization? Reach out to us via info@secwise.be.