1. Home
  2. Techniques
  3. Enterprise
  4. Modify Authentication Process
  5. Multi-Factor Authentication

Modify Authentication Process: Multi-Factor Authentication

ID Name
T1556.001 Domain Controller Authentication
T1556.002 Password Filter DLL
T1556.003 Pluggable Authentication Modules
T1556.004 Network Device Authentication
T1556.005 Reversible Encryption
T1556.006 Multi-Factor Authentication
T1556.007 Hybrid Identity
T1556.008 Network Provider DLL
T1556.009 Conditional Access Policies

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.

Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.[1][2]

For example, modifying the Windows hosts file (C:\windows\system32\drivers\etc\hosts) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a "fail open" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. [3]

Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.[3]

ID: T1556.006
Sub-technique of:  T1556
Platforms: IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Defense Bypassed: Multi-Factor Authentication
Contributors: Arun Seelagan, CISA; Liran Ravich, CardinalOps; Muhammad Moiz Arshad, @5T34L7H
Version: 1.3
Created: 31 May 2022
Last Modified: 14 October 2024
Version Permalink

Procedure Examples

ID Name Description
S0677 AADInternals

The AADInternals Set-AADIntUserMFA command can be used to disable MFA for a specified user.
G1015 Scattered Spider

After compromising user accounts, Scattered Spider registers their own MFA tokens.[4]
S1104 SLOWPULSE

SLOWPULSE can insert malicious logic to bypass RADIUS and ACE two factor authentication (2FA) flows if a designated attacker-supplied password is provided.[5]

Mitigations

ID Mitigation Description
M1047 Audit

Review MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended. Review user accounts to ensure that all accounts have MFA enabled.[6]
M1032 Multi-factor Authentication

Ensure that MFA and MFA policies and requirements are properly implemented for existing and deactivated or dormant accounts and devices. If possible, consider configuring MFA solutions to "fail closed" rather than grant access in case of serious errors.
M1018 User Account Management

Ensure that proper policies are implemented to dictate the secure enrollment and deactivation of MFA for user accounts.

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Object Modification

Monitor for changes made to AD security settings related to MFA logon requirements, such as changes to Azure AD Conditional Access Policies or the registration of new MFA applications.

DS0015 Application Log Application Log Content

Monitor for changes made to global multi-factor authentication settings in Identity-as-a-Service providers. For example, in Okta environments, the events system.mfa.factor.activate and system.mfa.factor.deactivate will trigger when an MFA factor is globally activated or deactivated. [7]

Analytic 1 - Changes to MFA settings outside of normal maintenance windows.

index=security sourcetype="audit" OR sourcetype="azure:eventhub" OR sourcetype="o365:management:activity" OR sourcetype="gsuite:reports:admin" EventCode IN ("UserAddedToMFAExcludedGroup", "MFASettingsModified", "MFASettingsDisabled", "AddMFAOption", "RemoveMFAOption", "MFAEnforcementDisabled")
DS0028 Logon Session Logon Session Creation

Monitor for logon sessions for user accounts and devices that did not require MFA for authentication.

Analytic 1 - Successful logons without MFA.

index=security sourcetype="azure:eventhub" OR sourcetype="o365:management:activity" OR sourcetype="gsuite:reports:admin" OR sourcetype="linux_secure" OR sourcetype="WinEventLog:Security" (EventID="4624" OR EventID="4648" OR EventID="AuthenticationSuccess" OR EventCode IN ("4104", "552", "1200") OR EventName="UserLoggedIn" OR action="login_success")| eval MFA_used = case( isnotnull('AdditionalProperties.MFARequired') AND AdditionalProperties.MFARequired="true", "MFA", isnotnull('AdditionalProperties.MFAStatus') AND AdditionalProperties.MFAStatus="success", "MFA", isnotnull('AdditionalProperties.MFA') AND AdditionalProperties.MFA="success", "MFA", isnotnull('AuthenticationMethod') AND AuthenticationMethod IN ("MFA", "TOTP", "U2F", "Push Notification"), "MFA", isnotnull('MultiFactorUsed') AND MultiFactorUsed="Yes", "MFA", 1==1, "No MFA")| search MFA_used="No MFA"

DS0002 User Account User Account Authentication

Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity.

User Account Modification

Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon. Monitor for attempts to disable MFA on individual user accounts.[6] Additionally, monitor for attempts to change or reset users’ MFA factor settings. For example, in Okta environments, the event user.mfa.factor.reset_all will trigger when all MFA factors are reset for a user. [7]

Analytic 1 - Unusual registration of MFA devices, changes to StrongAuthenticationPhoneAppDetail properties.

index="m365_audit_logs" Workload="AzureActiveDirectory" Operation="Update user" Actor="Azure MFA StrongAuthenticationService"| search ObjectId!="expected_user_id"| table CreationTime, Actor, ObjectId, IPAddress, ModifiedProperties

References

  1. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.
  2. Microsoft. (2022, August 26). Use Azure AD access reviews to manage users excluded from Conditional Access policies. Retrieved August 30, 2022.
  3. Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.
  4. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  1. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  2. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.
  3. Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.