LoFP / legitimate use case may require for users to disable mfa. filter as needed.

Techniques

• T1556
• T1556.006
• T1586
• T1586.003

Sample rules

Azure AD Multi-Factor Authentication Disabled

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1556
  • T1556.006

Description

The following analytic detects attempts to disable multi-factor authentication (MFA) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify the “Disable Strong Authentication” operation. This activity is significant because disabling MFA can allow adversaries to maintain persistence using compromised accounts without raising suspicion. If confirmed malicious, this action could enable attackers to bypass an essential security control, potentially leading to unauthorized access and prolonged undetected presence in the environment.

Detection logic

`azure_monitor_aad` category=AuditLogs operationName="Disable Strong Authentication" 
| rename properties.* as * 
| rename targetResources{}.type as type 
| rename initiatedBy.user.userPrincipalName as initiatedBy 
| stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_multi_factor_authentication_disabled_filter`

GCP Multi-Factor Authentication Disabled

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1556
  • T1556.006

Description

The following analytic detects an attempt to disable multi-factor authentication (MFA) for a Google Cloud Platform (GCP) user. It leverages Google Workspace Admin log events, specifically the UNENROLL_USER_FROM_STRONG_AUTH command. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised account without raising suspicion. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access, data exfiltration, or further exploitation of the compromised account.

Detection logic

`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH 
| stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `gcp_multi_factor_authentication_disabled_filter`