Disabled MFA to Bypass Authentication Mechanisms
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
Sigma rule (View on GitHub)
1title: Disabled MFA to Bypass Authentication Mechanisms
2id: 7ea78478-a4f9-42a6-9dcd-f861816122bf
3status: test
4description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
5references:
6 - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
7author: '@ionsor'
8date: 2022-02-08
9tags:
10 - attack.defense-evasion
11 - attack.credential-access
12 - attack.persistence
13 - attack.t1556
14logsource:
15 product: azure
16 service: activitylogs
17detection:
18 selection:
19 eventSource: AzureActiveDirectory
20 eventName: 'Disable Strong Authentication.'
21 status: success
22 condition: selection
23falsepositives:
24 - Authorized modification by administrators
25level: medium
References
-
Learn how to enable per-user Microsoft Entra multifactor authentication by changing the user state
Read More
Related rules
- AWS Identity Center Identity Provider Change
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- Certificate-Based Authentication Enabled
- Change to Authentication Method