Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Sigma rule (View on GitHub)
1title: Change to Authentication Method
2id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
3status: test
4description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
7author: AlertIQ
8date: 2021/10/10
9modified: 2022/12/25
10tags:
11 - attack.credential_access
12 - attack.t1556
13 - attack.persistence
14 - attack.defense_evasion
15 - attack.t1098
16logsource:
17 product: azure
18 service: auditlogs
19detection:
20 selection:
21 LoggedByService: 'Authentication Methods'
22 Category: 'UserManagement'
23 OperationName: 'User registered security info'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- Suspicious Computer Account Name Change CVE-2021-42287
- Okta MFA Reset or Deactivated
- AWS IAM Backdoor Users Keys