t1556 | LoFP

t1556

Title	Tags
a mfa device may be deactivated by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. mfa device deactivations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 t1556 aws elastic
a windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. following this, the administrator may have reset the mfa credentials for themselves and then logged into the okta console for ad directory services integration management.	t1556 okta elastic
administrators may remove 2-step verification (2sv) temporarily for testing or during maintenance. if 2sv was previously enabled, it is not common to disable this policy for extended periods of time.	t1556 google_workspace elastic
approved administrator/owner activities.	t1556 github sigma
authorized changes to the aws account's identity provider	t1556 aws sigma
authorized modification by administrators	t1556 azure sigma
authorized third party network logon providers.	t1543 t1556 windows elastic
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company	t1556 t1556.006 t1586 t1586.003 t1621 aws account splunk
consider adding exceptions to this rule to filter false positives if sign on policies for okta applications are regularly modified or deleted in your organization.	t1556 okta elastic
disabling a dkim configuration may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1556 o365 elastic
fidelity of this is high as okta is specifying malicious infrastructure. filter and modify as needed.	t1078 t1078.001 t1556 infrastructure splunk
if a mfa reset or deactivated was performed by a system administrator.	t1556 t1556.006 okta sigma
if the behavior of deactivating mfa for okta user accounts is expected, consider adding exceptions to this rule to filter false positives.	t1556 okta elastic
if this was approved by system administrator.	t1078 t1078.004 t1110 t1556 t1556.006 azure sigma
legitimate administrative use	t1046 t1082 t1135 t1505 t1505.005 t1546 t1546.007 t1546.008 t1547 t1547.001 t1547.002 t1547.010 t1547.014 t1556 t1556.002 t1557 t1562 t1562.002 t1564 t1564.002 t1574 t1574.007 windows sigma
legitimate use case may require for users to disable mfa. filter as needed.	t1556 t1556.006 t1586 t1586.003 azure active directory gcp splunk
legitimate use case may require for users to disable mfa. filter lightly and monitor for any unusual activity.	t1556 t1556.006 okta tenant splunk
logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.	t1556 o365 tenant splunk
mfa settings may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.	t1556 google_workspace elastic
misconfigured role permissions	t1548 t1556 azure sigma
modifications in the msds-keycredentiallink attribute can be done legitimately by the azure ad connect synchronization account or the adfs service account. these accounts can be added as exceptions.	t1556 windows elastic
newly onboarded users who are registering an mfa method for the first time will also trigger this detection.	t1556 t1556.006 azure active directory aws account splunk
potential to be triggered by an administrator disabling protections for troubleshooting purposes.	t1556 endpoint splunk
public access is a common configuration used to enable access from outside a private vpc. ensure that the instance should not be modified in this way before taking action.	t1556 aws elastic
trusted openssh executable updates. it's recommended to verify the integrity of openssh binary changes.	t1021 t1543 t1556 t1563 linux elastic
trusted system module updates or allowed pluggable authentication module (pam) daemon configuration changes.	t1543 t1556 cross-platform linux elastic
unless it is a special case, it is uncommon to disable mfa or strong authentication	t1556 o365 tenant splunk
unlikely	t1003 t1003.001 t1003.002 t1003.004 t1003.005 t1003.006 t1005 t1007 t1008 t1012 t1014 t1016 t1018 t1021 t1021.002 t1021.003 t1021.006 t1027 t1027.005 t1033 t1036 t1036.003 t1036.005 t1036.007 t1041 t1046 t1047 t1048 t1048.001 t1053 t1053.003 t1053.005 t1055 t1055.001 t1056 t1057 t1059 t1059.001 t1059.002 t1059.003 t1068 t1070 t1071 t1071.001 t1071.004 t1078 t1082 t1083 t1087 t1090 t1090.001 t1090.003 t1105 t1106 t1112 t1115 t1123 t1127 t1132 t1132.001 t1133 t1134 t1134.001 t1134.002 t1134.004 t1136 t1136.001 t1136.002 t1137 t1137.002 t1140 t1190 t1202 t1203 t1204 t1210 t1213 t1213.003 t1216 t1218 t1218.001 t1218.008 t1218.010 t1218.011 t1218.013 t1219 t1486 t1489 t1490 t1496 t1498 t1499 t1499.001 t1505 t1505.003 t1526 t1528 t1543 t1543.003 t1546 t1546.008 t1546.015 t1548 t1548.003 t1550 t1550.003 t1552 t1552.004 t1553 t1553.004 t1555 t1556 t1557 t1557.001 t1558 t1558.003 t1562 t1562.001 t1562.002 t1562.010 t1564 t1564.004 t1566 t1569 t1569.002 t1570 t1574 t1574.001 t1574.002 t1586 t1587 t1587.001 t1588 t1588.002 t1590 t1590.001 t1590.002 t1620 t1649 windows opencanary okta m365 azure bitbucket macos linux sigma
updates to approved and trusted ssh executables can trigger this rule.	t1554 t1556 linux elastic
user removed from the group is approved	t1548 t1556 azure sigma