Disabling Multi Factor Authentication

Oct 12, 2023 · attack.persistence attack.t1556 ·

Detects disabling of Multi Factor Authentication.

Sigma rule (View on GitHub)

 1title: Disabling Multi Factor Authentication
 2id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
 3status: experimental
 4description: Detects disabling of Multi Factor Authentication.
 5references:
 6    - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
 7author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
 8date: 2023/09/18
 9tags:
10    - attack.persistence
11    - attack.t1556
12logsource:
13    service: audit
14    product: m365
15detection:
16    selection:
17        Operation|contains: 'Disable Strong Authentication.'
18    condition: selection
19falsepositives:
20    - Unlikely
21level: high

References

O365 Disable MFA

Modify Authentication Process

Read More

Related rules

AWS Identity Center Identity Provider Change
Change to Authentication Method
Disabled MFA to Bypass Authentication Mechanisms
AWS ElastiCache Security Group Created
AWS IAM Backdoor Users Keys

Disabling Multi Factor Authentication

Sigma rule (View on GitHub)

References

O365 Disable MFA

Related rules