Techniques
Sample rules
Multi Factor Authentication Disabled For User Account
- source: sigma
- technicques:
Description
Detects changes to the “StrongAuthenticationRequirement” value, where the state is set to “0” or “Disabled”. Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Detection logic
condition: selection
selection:
Category: UserManagement
LoggedByService: Core Directory
OperationName: Update user
TargetResources.ModifiedProperties.DisplayName: StrongAuthenticationRequirement
TargetResources.ModifiedProperties.NewValue|contains: State":0