Multi Factor Authentication Disabled For User Account

Date: 08/22/2024

Severity: Medium

Summary

Detects changes to the "StrongAuthenticationRequirement" value when it is set to "0" or "Disabled". Threat actors have been observed disabling multi-factor authentication to maintain or gain access to accounts, a tactic also seen in SIM swap attacks.

Indicators of Compromise (IOC) List

LoggedByService	'Core Directory'
Category	'UserManagement'
OperationName	'Update user'
TargetResources.ModifiedProperties.DisplayName	'StrongAuthenticationRequirement'
TargetResources.ModifiedProperties.NewValue	"State\":0"

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1	((resourcename = "Azure AD Directory Audit" AND loggedbyservice = "Core Directory" ) AND operationtype = "Update user" ) AND category = "UserManagement" AND rawmessages In ("'StrongAuthenticationRequirement'" , "State\":0" )
Detection Query 2	((Technologygroup = "EDR" AND loggedbyservice = "Core Directory" ) AND operationtype = "Update user" ) AND category = "UserManagement" AND rawmessages In ("'StrongAuthenticationRequirement'" , "State\":0" )

Reference:

https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml

https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/

Multi Factor Authentication Disabled For User Account

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Multi Factor Authentication Disabled For User Account

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments