Detect Multi-Factor Authentication in Sumo Logic CSE
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Methods include: excluding users from Azure AD Conditional Access Policies, registering adversary-controlled MFA methods (Scattered Spider), modifying Windows hosts file to redirect MFA server calls to localhost causing fail-open behavior (CISA AA22-074A), using AADInternals Set-AADIntUserMFA to disable MFA, and modifying SLOWPULSE to bypass RADIUS/ACE 2FA. Detection focuses on MFA configuration changes in identity provider audit logs.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.006 Multi-Factor Authentication
- Canonical reference
- https://attack.mitre.org/techniques/T1556/006/
Sumo Detection Query
(_sourceCategory="azure/auditlogs" OR _sourceCategory="o365/audit" OR _sourceCategory=*azure*audit*)
| json field=_raw "operationName" as OperationName nodrop
| json field=_raw "Operation" as O365Operation nodrop
| eval operation = if(!isNull(OperationName) && OperationName != "", OperationName, O365Operation)
| where operation matches /(?i)(Disable.*StrongAuth|.*StrongAuth.*Disable|User.*(registered|deleted).*security.*info|Admin.*(deleted|disabled).*(security.*info|MFA)|Update.*per-user.*MFA|Add.*conditional.*access.*policy|Update.*conditional.*access.*policy|Delete.*conditional.*access.*policy)/
| json field=_raw "properties.initiatedBy.user.userPrincipalName" as AzureActor nodrop
| json field=_raw "properties.initiatedBy.app.displayName" as ServiceActor nodrop
| json field=_raw "UserId" as O365Actor nodrop
| eval Actor = if(!isNull(AzureActor) && AzureActor != "", AzureActor, if(!isNull(O365Actor) && O365Actor != "", O365Actor, ServiceActor))
| json field=_raw "properties.targetResources[0].userPrincipalName" as AzureTarget nodrop
| json field=_raw "ObjectId" as O365Target nodrop
| eval Target = if(!isNull(AzureTarget) && AzureTarget != "", AzureTarget, O365Target)
| json field=_raw "properties.result" as AzureResult nodrop
| json field=_raw "ResultStatus" as O365Result nodrop
| eval Result = if(!isNull(AzureResult), AzureResult, O365Result)
| eval Risk = if(operation matches /(?i)(Disable.*MFA|Admin.*disable.*MFA|Admin.*deleted.*security.*info)/, "HIGH",
if(operation matches /(?i)(User.*deleted.*security.*info|Remove.*authenticat)/, "HIGH",
if(operation matches /(?i)(conditional.*access.*policy|Update.*conditional)/, "MEDIUM",
"LOW")))
| fields _messageTime, Actor, Target, operation, Result, Risk
| sort by _messageTime descDetects MFA configuration changes and Conditional Access policy modifications from Azure AD and M365 audit logs in Sumo Logic. Handles both Azure Monitor-formatted audit logs and Office 365 Management Activity API log shapes, normalising actor and target fields across both sources.
Data Sources
Required Tables
False Positives & Tuning
- Self-service MFA registration campaigns where large user populations enrol new security info methods simultaneously, generating high event volume with legitimate registrations
- Conditional Access policy bulk updates applied programmatically during approved change windows by identity engineering teams using the Microsoft Graph API
- Azure AD B2C or external identity provider federation configuration changes that generate 'Update user' events containing StrongAuthentication payloads during initial federation setup
Other platforms for T1556.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable MFA for a User via Microsoft Graph API
Expected signal: Azure AD Audit Log: OperationName 'User deleted security info' or 'Update user' with StrongAuthenticationRequirement modification. Graph API call logged in Azure AD diagnostic logs. PowerShell ScriptBlock Log Event ID 4104.
- Test 2Add Trusted Location to Conditional Access Policy
Expected signal: Azure AD Audit Log: OperationName 'Add named location' with the new IP range visible in audit details. Azure AD Audit Log: If location is then added as exclusion to a CA policy, OperationName 'Update conditional access policy'.
- Test 3Modify Windows Hosts File to Redirect MFA Server (CISA AA22-074A Pattern)
Expected signal: Sysmon Event ID 11 (File Create/Modify): TargetFilename=C:\Windows\System32\drivers\etc\hosts, initiated by powershell.exe. Windows Defender may alert on hosts file modification. Security Event ID 4663 if file auditing is enabled.
References (6)
- https://attack.mitre.org/techniques/T1556/006/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- https://www.mandiant.com/media/17826
- https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.006/T1556.006.md
- https://www.microsoft.com/en-us/security/blog/2022/10/25/microsoft-incident-response-tips-for-managing-a-phishing-crisis/
Unlock Pro Content
Get the full detection package for T1556.006 including response playbook, investigation guide, and atomic red team tests.