Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Sigma rule (View on GitHub)
1title: Multi Factor Authentication Disabled For User Account
2id: b18454c8-0be3-41f7-86bc-9c614611b839
3status: experimental
4description: |
5 Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled".
6 Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
7references:
8 - https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
9author: Harjot Singh (@cyb3rjy0t)
10date: 2024-08-21
11tags:
12 - attack.credential-access
13 - attack.persistence
14logsource:
15 product: azure
16 service: auditlogs
17 definition: 'Requirements: The TargetResources array needs to be mapped accurately in order for this rule to work'
18detection:
19 selection:
20 LoggedByService: 'Core Directory'
21 Category: 'UserManagement'
22 OperationName: 'Update user'
23 TargetResources.ModifiedProperties.DisplayName: 'StrongAuthenticationRequirement'
24 TargetResources.ModifiedProperties.NewValue|contains: "State\":0"
25 condition: selection
26falsepositives:
27 - Legitimate authorized activity.
28level: medium
References
-
A blog about cybercrime intelligence and tracking threat groups like SCATTERED SPIDER and The Com.
Read More
Related rules
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes
- Azure Kubernetes Admission Controller