Detect Multi-Factor Authentication in Splunk
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Methods include: excluding users from Azure AD Conditional Access Policies, registering adversary-controlled MFA methods (Scattered Spider), modifying Windows hosts file to redirect MFA server calls to localhost causing fail-open behavior (CISA AA22-074A), using AADInternals Set-AADIntUserMFA to disable MFA, and modifying SLOWPULSE to bypass RADIUS/ACE 2FA. Detection focuses on MFA configuration changes in identity provider audit logs.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.006 Multi-Factor Authentication
- Canonical reference
- https://attack.mitre.org/techniques/T1556/006/
SPL Detection Query
index=azure_audit OR index=o365_audit
sourcetype IN ("azure:aad:audit", "o365:management:activity")
| eval OperationType=coalesce(Operation, OperationName)
| where match(OperationType, "(?i)(Disable.*MFA|Update.*StrongAuth|Delete.*security.*info|Admin.*MFA|Per-user MFA|conditional.*access|Update.*policy)")
| eval Actor=coalesce(UserId, InitiatingUser, Actor)
| eval Target=coalesce(ObjectId, TargetUser, Target)
| eval Risk=case(
match(OperationType, "(?i)Disable.*MFA|Admin.*disable"), "HIGH",
match(OperationType, "(?i)Delete.*security|Remove.*auth"), "HIGH",
match(OperationType, "(?i)conditional.*access|Update.*policy"), "MEDIUM",
1==1, "LOW"
)
| table _time, Actor, Target, OperationType, Result, Risk
| sort - _timeDetects MFA-weakening operations in Azure AD / Microsoft 365 audit logs using Splunk. Covers MFA disabling, security info deletion, and Conditional Access Policy modifications. Risk scoring helps prioritize: HIGH for direct MFA disabling, MEDIUM for policy changes that could indirectly weaken MFA.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Helpdesk operations resetting lost authenticator devices for legitimate users
- Administrative MFA policy updates authorized through change management
- User self-service MFA method registration during onboarding
- Break-glass account MFA management for emergency access procedures
Other platforms for T1556.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable MFA for a User via Microsoft Graph API
Expected signal: Azure AD Audit Log: OperationName 'User deleted security info' or 'Update user' with StrongAuthenticationRequirement modification. Graph API call logged in Azure AD diagnostic logs. PowerShell ScriptBlock Log Event ID 4104.
- Test 2Add Trusted Location to Conditional Access Policy
Expected signal: Azure AD Audit Log: OperationName 'Add named location' with the new IP range visible in audit details. Azure AD Audit Log: If location is then added as exclusion to a CA policy, OperationName 'Update conditional access policy'.
- Test 3Modify Windows Hosts File to Redirect MFA Server (CISA AA22-074A Pattern)
Expected signal: Sysmon Event ID 11 (File Create/Modify): TargetFilename=C:\Windows\System32\drivers\etc\hosts, initiated by powershell.exe. Windows Defender may alert on hosts file modification. Security Event ID 4663 if file auditing is enabled.
References (6)
- https://attack.mitre.org/techniques/T1556/006/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- https://www.mandiant.com/media/17826
- https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.006/T1556.006.md
- https://www.microsoft.com/en-us/security/blog/2022/10/25/microsoft-incident-response-tips-for-managing-a-phishing-crisis/
Unlock Pro Content
Get the full detection package for T1556.006 including response playbook, investigation guide, and atomic red team tests.