EXPLORE
Sign In
← Back to Explore
T1556.006

Multi-Factor Authentication

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate fea...

WindowsSaaSIaaSLinuxmacOSOffice SuiteIdentity Provider
25
Detections
3
Sources
1
Threat Actors

BY SOURCE

11elastic11splunk_escu3sigma

PROCEDURES (12)

Authentication Monitoring8 detections

Auto-extracted: 8 detections for authentication monitoring

Cloud3 detections

Auto-extracted: 3 detections for cloud

Api3 detections

Auto-extracted: 3 detections for api

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Unusual2 detections

Auto-extracted: 2 detections for unusual

Bypass1 detections

Auto-extracted: 1 detections for bypass

Credential1 detections

Auto-extracted: 1 detections for credential

Privilege1 detections

Auto-extracted: 1 detections for privilege

Api1 detections

Auto-extracted: 1 detections for api

Azure1 detections

Auto-extracted: 1 detections for azure

Azure1 detections

Auto-extracted: 1 detections for azure

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

THREAT ACTORS (1)

Scattered Spider

DETECTIONS (25)

ASL AWS Multi-Factor Authentication Disabled
splunk_escu
ASL AWS New MFA Method Registered For User
splunk_escu
Attempt to Deactivate an Okta Policy
elasticlow
Attempt to Delete an Okta Policy
elasticmedium
Attempt to Reset MFA Factors for an Okta User Account
elasticlow
AWS IAM Deactivation of MFA Device
elasticmedium
AWS IAM Virtual MFA Device Registration Attempt with Session Token
elasticmedium
AWS Multi-Factor Authentication Disabled
splunk_escu
AWS New MFA Method Registered For User
splunk_escu
AWS STS AssumeRole with New MFA Device
elasticlow
Azure AD Multi-Factor Authentication Disabled
splunk_escu
Azure AD New MFA Method Registered For User
splunk_escu
Azure AD Only Single Factor Authentication Required
sigmalow
Disabling Multi Factor Authentication
sigmahigh
Entra ID MFA Disabled for User
elasticmedium
Entra ID User Sign-in with Unusual Authentication Type
elasticmedium
GCP Multi-Factor Authentication Disabled
splunk_escu
Google Workspace MFA Enforcement Disabled
elasticmedium
MFA Deactivation with no Re-Activation for Okta User Account
elasticlow
Okta MFA Reset or Deactivated
sigmamedium
Okta Multi-Factor Authentication Disabled
splunk_escu
PingID Mismatch Auth Source and Verification Response
splunk_escu
PingID New MFA Method After Credential Reset
splunk_escu
PingID New MFA Method Registered For User
splunk_escu
Stolen Credentials Used to Login to Okta Account After MFA Reset
elastichigh