Detects registry and Group Policy modifications that disable or weaken MFA, suspicious PowerShell usage modifying MFA-related attributes, and anomalous login sessions succeeding without expected MFA challenge.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Modification (DC0066) | WinEventLog:Security | EventCode=4739 |
| Script Execution (DC0029) | WinEventLog:PowerShell | Set-ADUser or Set-ADAuthenticationPolicy with MFA attributes disabled |
| Field | Description |
|---|---|
| WatchedAttributes | List of AD attributes or policy fields tied to MFA enforcement that may vary by organization. |
| TimeWindow | Correlation window between MFA policy changes and anomalous login behavior. |
Detects conditional access policy changes, exclusion of accounts from MFA enforcement, or registration of new MFA factors by non-admin or anomalous users.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | azure:signinlogs | Modify Conditional Access Policy |
| User Account Modification (DC0010) | m365:unified | User excluded from MFA or MFA method registered |
| Field | Description |
|---|---|
| PrivilegedRoles | Roles permitted to modify MFA settings in IdP; helps tune detection of unauthorized changes. |
Detects API calls to cloud secrets/MFA configurations where MFA enforcement policies are disabled or bypassed.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | UpdateIdentityPolicy or DisableMFA |
| Field | Description |
|---|---|
| MonitoredServices | Specific cloud services or IAM policies relevant to MFA enforcement. |
Detects PAM module modifications or removal of MFA hooks in /etc/pam.d/ configurations, correlated with successful authentications lacking MFA prompts.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open/write to /etc/pam.d/* |
| User Account Authentication (DC0002) | NSM:Connections | Successful login without expected MFA challenge |
| Field | Description |
|---|---|
| MFAHooks | Paths to organization-specific PAM modules enforcing MFA. |
Detects modifications to authorization plugins responsible for MFA enforcement and correlates with suspicious login sessions missing MFA prompts.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | Modification of /Library/Security/SecurityAgentPlugins |
| User Account Authentication (DC0002) | macos:unifiedlog | Login success without MFA step |
| Field | Description |
|---|---|
| WatchedPluginPaths | Paths to organization-deployed MFA authorization plugins. |
Detects suspicious MFA method changes, such as registration of weaker factors (e.g., SMS), or removal of MFA requirements for specific accounts or groups.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | saas:zoom | DisableMFA or RegisterNewFactor |
| Field | Description |
|---|---|
| AcceptedFactors | Configured MFA factors allowed in SaaS environment; tuned to organizational policies. |
Detects MFA bypass attempts by modifying tenant-wide authentication policies or excluding high-value accounts from MFA enforcement.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Set-CsOnlineUser or UpdateAuthPolicy |
| Field | Description |
|---|---|
| MonitoredPolicies | Specific tenant or suite policies tied to MFA enforcement. |