O365 Disable MFA

Try in Splunk Security Cloud

Description

This search detects when multi factor authentication has been disabled, what entitiy performed the action and against what user

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2022-02-03
• Author: Rod Soto, Splunk
• ID: c783dd98-c703-4252-9e8a-f19d9f5c949e

Annotations

ATT&CK

ID	Technique	Tactic
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence

Kill Chain Phase

• Exploitation

NIST

CIS20

CVE

Search

`o365_management_activity` Operation="Disable Strong Authentication." 
| stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus 
|`security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
| `o365_disable_mfa_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• o365_management_activity

Note that o365_disable_mfa_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

• _time
• Operation
• UserType
• user
• status
• signature
• dest
• ResultStatus

How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Known False Positives

Unless it is a special case, it is uncommon to disable MFA or Strong Authentication

Associated Analytic story

• Office 365 Detections

RBA

Risk Score	Impact	Confidence	Message
64.0	80	80	User $user$ has executed an operation $Operation$ for this destination $dest$

Reference

• https://attack.mitre.org/techniques/T1556/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json

source | version: 1