Detectionmediumtest

Disabled MFA to Bypass Authentication Mechanisms

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@ionsorCreated Tue Feb 087ea78478-a4f9-42a6-9dcd-f861816122bfcloud

Log Source

Azureactivitylogs

ProductAzure← raw: azure

Serviceactivitylogs← raw: activitylogs

Detection Logic

detection:
    selection:
        eventSource: AzureActiveDirectory
        eventName: 'Disable Strong Authentication.'
        status: success
    condition: selection

False Positives

Authorized modification by administrators

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0006 · Credential Access TA0003 · Persistence

Techniques

T1556 · Modify Authentication Process

Rule Metadata

Rule ID

7ea78478-a4f9-42a6-9dcd-f861816122bf

Status

test

Level

medium

Type

Detection

Created

Tue Feb 08

Author

@ionsor

Path

rules/cloud/azure/activity_logs/azure_mfa_disabled.yml

Raw Tags

attack.defense-evasionattack.credential-accessattack.persistenceattack.t1556

View on GitHub