title: Multi-Factor Authentication (T1556.006)
id: df00tech-t1556-006
status: experimental
description: "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Methods include: excluding users from Azure AD Conditional Access Policies, registering adversary-controlled MFA methods (Scattered Spider), modifying Windows hosts file to redirect MFA server calls to localhost causing fail-open behavior (CISA AA22-074A), using AADInternals Set-AADIntUserMFA to disable MFA, and modifying SLOWPULSE to bypass RADIUS/ACE 2FA. Detection focuses on MFA configuration changes in identity provider audit logs."
references:
  - https://attack.mitre.org/techniques/T1556/006/
  - https://df00tech.com/detections/T1556.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT helpdesk disabling MFA for a user who lost their authenticator device — should be documented in a change ticket
  - MFA method registration by legitimate users adding a new phone or authenticator app
  - Conditional Access Policy updates by authorized administrators during planned policy reviews
  - Automated user lifecycle management systems that temporarily suspend MFA during account provisioning
level: critical