Disabled MFA to Bypass Authentication Mechanisms
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
Sigma rule (View on GitHub)
1title: Disabled MFA to Bypass Authentication Mechanisms
2id: 7ea78478-a4f9-42a6-9dcd-f861816122bf
3status: test
4description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
5references:
6 - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
7author: '@ionsor'
8date: 2022-02-08
9tags:
10 - attack.persistence
11 - attack.t1556
12logsource:
13 product: azure
14 service: activitylogs
15detection:
16 selection:
17 eventSource: AzureActiveDirectory
18 eventName: 'Disable Strong Authentication.'
19 status: success
20 condition: selection
21falsepositives:
22 - Authorized modification by administrators
23level: medium
References
-
Learn how to enable per-user Microsoft Entra multifactor authentication by changing the user state
Read More
Related rules
- AWS Identity Center Identity Provider Change
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- Certificate-Based Authentication Enabled
- Change to Authentication Method