Disabling Multi Factor Authentication

Aug 14, 2025 · attack.persistence attack.defense-evasion attack.credential-access attack.t1556.006 ·

Detects disabling of Multi Factor Authentication.

Sigma rule (View on GitHub)

 1title: Disabling Multi Factor Authentication
 2id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
 3status: test
 4description: Detects disabling of Multi Factor Authentication.
 5references:
 6    - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
 7author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
 8date: 2023-09-18
 9tags:
10    - attack.persistence
11    - attack.defense-evasion
12    - attack.credential-access
13    - attack.t1556.006
14logsource:
15    service: audit
16    product: m365
17detection:
18    selection:
19        Operation|contains: 'Disable Strong Authentication.'
20    condition: selection
21falsepositives:
22    - Unlikely
23level: high

References

https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/

Read More

Disabling Multi Factor Authentication

Sigma rule (View on GitHub)

References

https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/

Related rules