Skip to content

DET0190 Detect MFA Modification or Disabling Across Platforms

Item Value
ID DET0190
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1556.006 (Multi-Factor Authentication)

Analytics

Windows

AN0543

Detects registry and Group Policy modifications that disable or weaken MFA, suspicious PowerShell usage modifying MFA-related attributes, and anomalous login sessions succeeding without expected MFA challenge.

Log Sources
Data Component Name Channel
Active Directory Object Modification (DC0066) WinEventLog:Security EventCode=4739
Script Execution (DC0029) WinEventLog:PowerShell Set-ADUser or Set-ADAuthenticationPolicy with MFA attributes disabled
Mutable Elements
Field Description
WatchedAttributes List of AD attributes or policy fields tied to MFA enforcement that may vary by organization.
TimeWindow Correlation window between MFA policy changes and anomalous login behavior.

Identity Provider

AN0544

Detects conditional access policy changes, exclusion of accounts from MFA enforcement, or registration of new MFA factors by non-admin or anomalous users.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) azure:signinlogs Modify Conditional Access Policy
User Account Modification (DC0010) m365:unified User excluded from MFA or MFA method registered
Mutable Elements
Field Description
PrivilegedRoles Roles permitted to modify MFA settings in IdP; helps tune detection of unauthorized changes.

IaaS

AN0545

Detects API calls to cloud secrets/MFA configurations where MFA enforcement policies are disabled or bypassed.

Log Sources
Data Component Name Channel
Cloud Service Modification (DC0069) AWS:CloudTrail UpdateIdentityPolicy or DisableMFA
Mutable Elements
Field Description
MonitoredServices Specific cloud services or IAM policies relevant to MFA enforcement.

Linux

AN0546

Detects PAM module modifications or removal of MFA hooks in /etc/pam.d/ configurations, correlated with successful authentications lacking MFA prompts.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open/write to /etc/pam.d/*
User Account Authentication (DC0002) NSM:Connections Successful login without expected MFA challenge
Mutable Elements
Field Description
MFAHooks Paths to organization-specific PAM modules enforcing MFA.

macOS

AN0547

Detects modifications to authorization plugins responsible for MFA enforcement and correlates with suspicious login sessions missing MFA prompts.

Log Sources
Data Component Name Channel
File Modification (DC0061) macos:unifiedlog Modification of /Library/Security/SecurityAgentPlugins
User Account Authentication (DC0002) macos:unifiedlog Login success without MFA step
Mutable Elements
Field Description
WatchedPluginPaths Paths to organization-deployed MFA authorization plugins.

SaaS

AN0548

Detects suspicious MFA method changes, such as registration of weaker factors (e.g., SMS), or removal of MFA requirements for specific accounts or groups.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) saas:zoom DisableMFA or RegisterNewFactor
Mutable Elements
Field Description
AcceptedFactors Configured MFA factors allowed in SaaS environment; tuned to organizational policies.

Office Suite

AN0549

Detects MFA bypass attempts by modifying tenant-wide authentication policies or excluding high-value accounts from MFA enforcement.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified Set-CsOnlineUser or UpdateAuthPolicy
Mutable Elements
Field Description
MonitoredPolicies Specific tenant or suite policies tied to MFA enforcement.