LoFP / users actually login but miss-click into the deny button when mfa prompt.

Techniques

• t1078
• t1078.004
• t1110
• t1621

Sample rules

Multifactor Authentication Denied

• source: sigma
• technicques:
  • t1078
  • t1078.004
  • t1110
  • t1621

Description

User has indicated they haven’t instigated the MFA prompt and could indicate an attacker has the password for the account.

Detection logic

condition: selection
selection:
  AuthenticationRequirement: multiFactorAuthentication
  Status|contains: MFA Denied