Detectionmediumtest
Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Azureauditlogs
ProductAzure← raw: azure
Serviceauditlogs← raw: auditlogs
Definition
Requirements: The TargetResources array needs to be mapped accurately in order for this rule to work
Detection Logic
Detection Logic1 selector
detection:
selection:
LoggedByService: 'Core Directory'
Category: 'UserManagement'
OperationName: 'Update user'
TargetResources.ModifiedProperties.DisplayName: 'StrongAuthenticationRequirement'
TargetResources.ModifiedProperties.NewValue|contains: "State\":0"
condition: selectionFalse Positives
Legitimate authorized activity.
References
MITRE ATT&CK
Rule Metadata
Rule ID
b18454c8-0be3-41f7-86bc-9c614611b839
Status
test
Level
medium
Type
Detection
Created
Wed Aug 21
Author
Path
rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml
Raw Tags
attack.credential-accessattack.persistence