DET0160 Detection Strategy for Multi-Factor Authentication Request Generation (T1621)

Item	Value
ID	DET0160
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1621 (Multi-Factor Authentication Request Generation)

Analytics

Identity Provider

AN0449

Monitor for excessive or anomalous MFA push notifications or token requests, especially when login attempts originate from unusual IPs or geolocations and do not correspond to legitimate user-initiated sessions.

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	azure:signinlogs	Multiple MFA challenge requests without successful primary login
Application Log Content (DC0038)	NSM:Connections	PushNotificationSent

Mutable Elements

Field	Description
TimeWindow	Threshold of MFA prompts per user within a short time period
GeoIPAllowList	Expected login locations for workforce; deviations can be tuned

IaaS

AN0450

Detect abnormal MFA activity within cloud service provider logs, such as repeated generation of MFA challenges for the same user session or mismatched MFA device and login origin.

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	AWS:CloudTrail	AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests

Mutable Elements

Field	Description
FailedLoginThreshold	Number of failed logins before raising detection

Windows

AN0451

Detect repeated failed login events followed by MFA challenges triggered in rapid succession, especially if originating from service accounts or anomalous IP addresses.

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	WinEventLog:Security	EventCode=4625

Mutable Elements

Field	Description
ServiceAccountExclusion	Exclude specific accounts where automated MFA requests are legitimate

Linux

AN0452

Monitor PAM and syslog entries for unusual frequency of login attempts that trigger MFA prompts, particularly when MFA challenges do not match expected user behavior.

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	auditd:AUTH	pam_unix or pam_google_authenticator invoked repeatedly within short interval

Mutable Elements

Field	Description
AuthRetryThreshold	Number of retries per user allowed before detection is triggered

SaaS

AN0453

Detect anomalous OAuth or SSO logins that repeatedly generate MFA challenges, particularly where MFA approvals are denied or timed out by the user.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	saas:okta	MFAChallengeIssued

Mutable Elements

Field	Description
MFAProvider	Identify which MFA service provider logs are in use (Okta, Duo, Microsoft Authenticator)

macOS

AN0454

Detect user account logon attempts that trigger multiple MFA challenges through enterprise identity integrations, especially if MFA push requests are generated without successful interactive login.

Log Sources

Data Component	Name	Channel
Logon Session Metadata (DC0088)	macos:unifiedlog	authd generating multiple MFA token requests

Mutable Elements

Field	Description
DeviceEnrollmentStatus	Exclude unmanaged macOS devices that use different MFA providers