T1556.006: Multi-Factor Authentication

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.

Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.

For example, modifying the Windows hosts file (C:\windows\system32\drivers\etc\hosts) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a "fail open" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA.

Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

bruteforce: PT-CR-1755: Multifactor_Brute_Second_Factor: Multiple second authentication factor requests in Multifactor. This may indicate an attempt by attackers, who obtained the user's credentials, to push the user to confirm the login. mitre_attck_cred_access: PT-CR-1796: Multifactor_Bypass_Due_API_Unavailability: The "bypass-second-factor-when-api-unreachable" parameter allows you to bypass the second authentication factor if Multifactor API is not available mitre_attck_cred_access: PT-CR-1584: Multifactor_Bypass_MFA: Bypassing multi-factor authentication may indicate a server misconfiguration. Attackers can exploit this to penetrate the infrastructure. mitre_attck_cred_access: PT-CR-1993: Multifactor_Second_Factor_Verified_Without_Request: The second user authentication factor was confirmed without an authentication request mitre_attck_cred_access: PT-CR-1991: Multifactor_Bypass_From_Local_Network_Side: A user accessed several servers by confirming the second factor only once mitre_attck_cred_access: PT-CR-1990: Subrule_Multifactor_Bypass_From_Local_Network_Side: The second user authentication factor was checked and confirmed twice at same time

Detection

IDDS0028Data source and componentLogon Session: Logon Session CreationDescription

Monitor for logon sessions for user accounts and devices that did not require MFA for authentication.

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Monitor for changes made to global multi-factor authentication settings in Identity-as-a-Service providers. For example, in Okta environments, the events system.mfa.factor.activate and system.mfa.factor.deactivate will trigger when an MFA factor is globally activated or deactivated.

IDDS0026Data source and componentActive Directory: Active Directory Object ModificationDescription

Monitor for changes made to AD security settings related to MFA logon requirements, such as changes to Azure AD Conditional Access Policies or the registration of new MFA applications.

IDDS0002Data source and componentUser Account: User Account AuthenticationDescription

Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity.

IDDS0002Data source and componentUser Account: User Account ModificationDescription

Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon. Monitor for attempts to disable MFA on individual user accounts. Additionally, monitor for attempts to change or reset users’ MFA factor settings. For example, in Okta environments, the event user.mfa.factor.reset_all will trigger when all MFA factors are reset for a user.

Mitigation

IDM1018NameUser Account ManagementDescription

Ensure that proper policies are implemented to dictate the secure enrollment and deactivation of MFA for user accounts.

IDM1047NameAuditDescription

Review MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended. Review user accounts to ensure that all accounts have MFA enabled.

IDM1032NameMulti-factor AuthenticationDescription

Ensure that MFA and MFA policies and requirements are properly implemented for existing and deactivated or dormant accounts and devices. If possible, consider configuring MFA solutions to "fail closed" rather than grant access in case of serious errors.