User Risk and MFA Registration Policy Updated

    Thursday, August 22, 2024 In: Threat Research Print

    Date: 08/22/2024

    Severity: High

    Summary

    Detects modifications and updates to the user risk and MFA registration policies. Attackers may alter these policies to bypass MFA, lower security thresholds, enable additional attacks, or maintain persistence.

    Indicators of Compromise (IOC) List

    LoggedByService

    'AAD Management UX'

    Category

    'Policy'

    OperationName

    'Update User Risk and MFA Registration Policy'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourceName = "Azure AD Directory Audit"  AND loggedbyservice = "AAD Management UX"  ) AND category = "Policy"  ) AND operationtype = "Update User Risk and MFA Registration Policy"

    Detection Query 2

    ((Technologygroup = "EDR"  AND loggedbyservice = "AAD Management UX"  ) AND category = "Policy"  ) AND operationtype = "Update User Risk and MFA Registration Policy"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml 

    https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy 

    https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities 


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.