Multi Factor Authentication Disabled For User Account

Rule Info

Name
Multi Factor Authentication Disabled For User Account
Author
Harjot Singh (@cyb3rjy0t)
Description
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Reference
https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
Date
2024-08-21 00:00:00
Modified
None
Id
b18454c8-0be3-41f7-86bc-9c614611b839
Tags
attack.credential-access attack.persistence
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=b18454c8-0be3-41f7-86bc-9c614611b839

Rule History

Author
Title
Date
Commit
cyb3rjy0t
Merge PR #4978 from @cyb3rjy0t - Add `Multi Factor Authentication Disabled For User Account`
2024-08-21
d1143955c
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022