📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • What Is SSPR
  • Attack
  • Detect
  • Hunt for known bad MFA devices
  • What logs are available?
  • Audit Logs:
  • Sign-In Logs:
  • Mitigate
  1. Enterprise Architecture
  2. The Cloud
  3. Azure
  4. Attacking Azure
  5. Persistence

SSPR/MFA

PreviousApplicationsNextCredential Theft

Last updated 11 months ago

What Is SSPR

Attack

If you have control of an MFA method that is available to a user, you can reset their password without knowing their password.

Detect

Hunt for known bad MFA devices

Below scripts lists all MFA methods by every user and lists their properties.

param ($Path, $UserList)

if ( ($Path -eq $null) -or ($Path -eq "") -or ($Path -eq " "))
{
	Write-Host "-Path not valid, please provide a filepath to export CSV to."
	Write-Host "-UserList, to optionally add a list of users to save time. By default grabs a list of every user in the tenant."
}
else 
{
	#Connect MgGraph
	Connect-MgGraph -Scopes 'UserAuthenticationMethod.Read.All' -NoWelcome

	if ($UserList -eq $null)
	{
		# Display the custom objects
		#Get all Azure users
		$users = get-mguser -All
	}
	else
	{
		#Provide list of users
		$users = ForEach ($mguser in $(get-content -Path $UserList)) {
		get-mguser -userid $mguser
		}
	}
	$results=@();
	Write-Host  "`nRetreived $($users.Count) users";
	#loop through each user account
	foreach ($user in $users) {

	$MFAData=Get-MgUserAuthenticationMethod -UserId $user.UserPrincipalName #-ErrorAction SilentlyContinue

		#check authentication methods for each user
		ForEach ($method in $MFAData) {
			$myObject = [PSCustomObject]@{
				user               		= "-"
				Id 				   		= "-"
				MFAstatus          		= "-"
				email              		= "-"
				fido2              		= "-"
				app                		= "-"
				password           		= "-"
				phone              		= "-"
				softwareoath       		= "-"
				tempaccess         		= "-"
				hellobusiness      		= "-"
				DeviceName         		= "-"
				PhoneAppVersion    		= "-"
				DeviceTag		  		= "-"
			}

			$myobject.user = $user.UserPrincipalName;
			Switch ($method.AdditionalProperties["@odata.type"]) {
				"#microsoft.graph.emailAuthenticationMethod"  { 
				$myObject.Id = $method.Id
				$myObject.email = $true 
				$myObject.MFAstatus = "Enabled"
			} 
				"#microsoft.graph.fido2AuthenticationMethod" { 
				$myObject.fido2 = $true 
				$myObject.MFAstatus = "Enabled"
			}    
				"#microsoft.graph.passwordAuthenticationMethod"                {              
				$myObject.password = $true 
					# When only the password is set, then MFA is disabled.
					if($myObject.MFAstatus -ne "Enabled")
					{
						$myObject.MFAstatus = "Disabled"
					}                
			}     
				"#microsoft.graph.phoneAuthenticationMethod"  { 
				$myObject.phone = $true
				$myObject.MFAstatus = "Enabled"
			}
			"#microsoft.graph.microsoftAuthenticatorAuthenticationMethod"  {
				$myObject.Id = $method.Id 
				$myObject.DeviceName = $method.AdditionalProperties.displayName
				$myObject.PhoneAppVersion = $method.AdditionalProperties.phoneAppVersion
				$myObject.deviceTag = $method.AdditionalProperties.deviceTag
				$myObject.MFAstatus = "Enabled"
			}
		
				"#microsoft.graph.softwareOathAuthenticationMethod"  {
				$myObject.Id = $method.Id 
				$myObject.softwareoath = "Oath OTP Enabled" 
				$myObject.MFAstatus = "Enabled"
			}           
				"#microsoft.graph.temporaryAccessPassAuthenticationMethod"  { 
				$myObject.tempaccess = $true 
				$myObject.MFAstatus = "Enabled"
			}           
				"#microsoft.graph.windowsHelloForBusinessAuthenticationMethod"  { 
				$myObject.hellobusiness = $true 
				$myObject.MFAstatus = "Enabled"
			}                   
			}
		$results+= $myObject;
		}
	}
	# Display the custom objects
	$results | export-csv -path $Path
}

What logs are available?

Audit Logs:

Password is not required for SSPR, only an alternate authentication method.

SSPR activity flow:

  1. User submitted their user ID

  2. User was presented with verification options

  3. User started the mobile app code verification option

  4. User completed the mobile app code verification option

  5. User completed all verification steps required to reset their password

  6. User submitted a new password

  7. Reset user password

  8. Update StsRefreshTokenValidFrom Timestamp

  9. Successfully completed reset.

First MFA:

OLD VALUE:

{"DeviceName":"SM-S911U","DeviceToken":"fdP4zadhT9mVkYYo_yQqEz:APA91bF61gVUucY6QWx2eWDi5IaSxCbSAM6LWsNGMmiiNXLgzCughKpLH5Nm2BetAEkl0axD2_ySPOJ24TEc0Wh-wwDeQBH-VP5c7rEme-xPTPioBPs-KsO5ftitRu4YG218wxXmII1Z",
"DeviceTag":"SoftwareTokenActivated",
"PhoneAppVersion":"6.2309.6329",
"OathTokenTimeDrift":0,
"DeviceId":"00000000-0000-0000-0000-000000000000",
"Id":"8cb20903-8109-4518-8269-a82dab749591","TimeInterval":0,
"AuthenticationType":3,
"NotificationType":4,
"LastAuthenticatedTimestamp":"2023-10-25T06:38:08.344692Z",
"AuthenticatorFlavor":null,
"HashFunction":null,
"TenantDeviceId":null,
"SecuredPartitionId":0,
"SecuredKeyId":0}


NEW VALUE:

{"DeviceName":"SM-S911U",
"DeviceToken":"fdP4zadhT9mVkYYo_yQqEz:APA91bF61gVUucY6QWx2eWDi5IaSxCbSAM6LWsNGMmiiNXLgzCughKpLH5Nm2BetAEkl0axD2_ySPOJ24TEc0Wh-wwDeQBH-VP5c7rEme-xPTPioBPs-KsO5ftitRu4YG218wxXmII1Z",
"DeviceTag":"SoftwareTokenActivated",
"PhoneAppVersion":"6.2309.6329",
"OathTokenTimeDrift":0,
"DeviceId":"00000000-0000-0000-0000-000000000000",
"Id":"8cb20903-8109-4518-8269-a82dab749591",
"TimeInterval":0,
"AuthenticationType":3,
"NotificationType":4,
"LastAuthenticatedTimestamp":"2024-12-12T12:38:08.344692Z",
"AuthenticatorFlavor":"Authenticator",
"HashFunction":"hmacsha256",
"TenantDeviceId":null,
"SecuredPartitionId":0,"SecuredKeyId":0}]

AuthenticationFlavor is updated from null, to authenticator (not sure why):

  • "AuthenticatorFlavor":null,

  • "AuthenticatorFlavor":"Authenticator",

LastAuthenticatedTimestamp is sometimes updated (note sure when):

  • "LastAuthenticatedTimestamp":"2023-10-25T06:38:08.344692Z",

  • "LastAuthenticatedTimestamp":"2024-12-12T12:38:08.344692Z",

Get audit log details, OData queries not support for filtering. Will have to get through graph explorer and copy paste to .txt file.

Sign-In Logs:

Mitigate

Advisory: Persistent MFA Circumvention in an Advanced BEC Campaign on Microsoft 365 Targets
Hunting for MFA manipulations in Entra ID tenants using KQLTECHCOMMUNITY.MICROSOFT.COM
Logo
Get MFA Status with PowerShell (Script Included)Active Directory Pro
Logo
Self-service password reset reports - Microsoft Entra IDMicrosoftLearn
Logo
Change Auditor 7.1 - Office 365 and Azure Active Directory Event Reference Guide
Change Auditor 7.1 - Office 365 and Azure Active Directory Event Reference Guide
Advanced BEC Scam Campaign Targeting Executives on O365
Get directoryAudit - Microsoft Graph v1.0MicrosoftLearn
Logo
Logo
Get-MgAuditLogDirectoryAudit (Microsoft.Graph.Reports)MicrosoftLearn
Logo
Logo
Logo
Logo