Abusing Duo Authentication Misconfigurations in Windows & AD
Tags
attack-pattern: Data Direct Cloud Api - T1059.009 Confluence - T1213.001 Credentials - T1589.001 Domain Account - T1087.002 Domain Account - T1136.002 Ip Addresses - T1590.005 Multi-Factor Authentication - T1556.006 Powershell - T1059.001 Remote Desktop Protocol - T1021.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Brute Force - T1110 Connection Proxy - T1090 Powershell - T1086 Remote Desktop Protocol - T1076 Valid Accounts - T1078 Valid Accounts
Show in Graph
Common Information
Type Value
UUID 28c8416f-49dc-429c-8fd2-61a20ab2b036
Fingerprint ec1f989b7837e9d9
Analysis status DONE
Considered CTI value 0
Text language
Published July 14, 2022, midnight
Added to db Oct. 22, 2023, 11:14 p.m.
Last updated Nov. 17, 2024, 12:58 p.m.
Headline Abusing Duo Authentication Misconfigurations in Windows and Active Directory Environments
Title Abusing Duo Authentication Misconfigurations in Windows & AD
Detected Hints/Tags/Attributes 81/1/12
Source URLs
Redirection Url
Details Source https://www.mandiant.com/resources/abusing-duo-authentication-misconfigurations
Details Source https://www.mandiant.com/resources/blog/abusing-duo-authentication-misconfigurations
URL Provider
Details Provider Source level domain
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1 
api-xxxxxxxx.duosecurity.com
Details Domain 24 
duo.com
Details File 1 
duowindowslogon64.msi
Details File 1 
duowindowslogon32.msi
Details File 40 
web.xml
Details File 1 
maclogon.pl
Details Url 1 
https://duo.com/docs/duoweb
Details Url 1 
https://duo.com/docs/rdp#offline
Details Url 1 
https://duo.com/docs/winlogon-gpo.
Details Windows Registry Key 1 
HKLM\SOFTWARE\Duo
Details Windows Registry Key 1 
HKLM\Software\Policies\Duo
Details Windows Registry Key 1 
HKLM\SOFTWARE\Policies\Duo