sigmahighHunting

Disabling Multi Factor Authentication

Detects disabling of Multi Factor Authentication.

MITRE ATT&CK

persistencedefense-evasioncredential-access

Detection Query

selection:
  Operation|contains: Disable Strong Authentication.
condition: selection

Author

Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)

Created

2023-09-18

Data Sources

m365audit

Platforms

m365

References

https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/

Tags

attack.persistenceattack.defense-evasionattack.credential-accessattack.t1556.006

Raw Content

title: Disabling Multi Factor Authentication
id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
status: test
description: Detects disabling of Multi Factor Authentication.
references:
    - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.credential-access
    - attack.t1556.006
logsource:
    service: audit
    product: m365
detection:
    selection:
        Operation|contains: 'Disable Strong Authentication.'
    condition: selection
falsepositives:
    - Unlikely
level: high