T1556.006 IBM QRadar · QRadar

Detect Multi-Factor Authentication in IBM QRadar

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Methods include: excluding users from Azure AD Conditional Access Policies, registering adversary-controlled MFA methods (Scattered Spider), modifying Windows hosts file to redirect MFA server calls to localhost causing fail-open behavior (CISA AA22-074A), using AADInternals Set-AADIntUserMFA to disable MFA, and modifying SLOWPULSE to bypass RADIUS/ACE 2FA. Detection focuses on MFA configuration changes in identity provider audit logs.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.006 Multi-Factor Authentication
Canonical reference
https://attack.mitre.org/techniques/T1556/006/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  username AS Actor,
  QIDNAME(qid) AS OperationType,
  CATEGORYNAME(category) AS Category,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  CASE
    WHEN LOWER(QIDNAME(qid)) MATCHES '.*(disable.*mfa|admin.*mfa.*disable|strongauthentication.*disabled|admin.*deleted.*security).*'
      THEN 'HIGH'
    WHEN LOWER(QIDNAME(qid)) MATCHES '.*(delete.*security.*info|user.*deleted.*security|remove.*authenticat).*'
      THEN 'HIGH'
    WHEN LOWER(QIDNAME(qid)) MATCHES '.*(conditional.*access.*policy|update.*conditional|add.*conditional|delete.*conditional).*'
      THEN 'MEDIUM'
    WHEN LOWER(QIDNAME(qid)) MATCHES '.*(register.*security.*info|per.*user.*mfa|strongauthentication).*'
      THEN 'LOW'
    ELSE 'INFO'
  END AS RiskLevel
FROM events
WHERE LOGSOURCETYPEID IN (396, 430)
  AND (
    LOWER(QIDNAME(qid)) MATCHES '.*(mfa|strongauthentication|conditional.access|security.info|per.user.mfa).*'
    OR LOWER(payload) MATCHES
      '.*("disable strongauthentication"|"admin disabled mfa"|"update per-user mfa"|"conditional access policy"|strongauthenticationrequirement|"admin deleted security info"|"user deleted security info").*'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
high severity medium confidence

Detects MFA modification and Conditional Access policy changes from Azure AD and Microsoft 365 log sources in QRadar. Uses LOGSOURCETYPEID 396 (Microsoft Azure Active Directory Audit DSM) and 430 (Microsoft Office 365 DSM) — adjust IDs to match your deployment version. Falls back to payload regex matching when QID normalisation is incomplete for newer operation types.

Data Sources

Microsoft Azure Active Directory Audit (QRadar DSM)Microsoft Office 365 (QRadar DSM)

Required Tables

events

False Positives & Tuning

  • Helpdesk staff resetting MFA for locked-out users during authenticated support calls — these appear as admin-initiated security info deletions with legitimate actor UPNs
  • Azure AD Connect or hybrid identity sync operations that trigger StrongAuthentication attribute writes as part of routine on-premises to cloud directory synchronisation
  • Privileged Identity Management (PIM) break-glass activation procedures that temporarily add emergency accounts to Conditional Access exclusion groups
Download portable Sigma rule (.yml)

Other platforms for T1556.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable MFA for a User via Microsoft Graph API

    Expected signal: Azure AD Audit Log: OperationName 'User deleted security info' or 'Update user' with StrongAuthenticationRequirement modification. Graph API call logged in Azure AD diagnostic logs. PowerShell ScriptBlock Log Event ID 4104.

  2. Test 2Add Trusted Location to Conditional Access Policy

    Expected signal: Azure AD Audit Log: OperationName 'Add named location' with the new IP range visible in audit details. Azure AD Audit Log: If location is then added as exclusion to a CA policy, OperationName 'Update conditional access policy'.

  3. Test 3Modify Windows Hosts File to Redirect MFA Server (CISA AA22-074A Pattern)

    Expected signal: Sysmon Event ID 11 (File Create/Modify): TargetFilename=C:\Windows\System32\drivers\etc\hosts, initiated by powershell.exe. Windows Defender may alert on hosts file modification. Security Event ID 4663 if file auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1556.009Conditional Access PoliciesT1621Multi-Factor Authentication Request GenerationT1078.004Cloud AccountsT1136.003Cloud AccountT1098.005Device Registration

Same Tactic: Credential Access

Popular Detections