Unusual modifications to MFA settings may indicate an attacker attempting to bypass multi-factor authentication and maintain persistent access. SOC teams should proactively hunt for this behavior to detect potential account compromise and prevent further lateral movement in Azure Sentinel.
KQL Query
AuditLogs
| where Category =~ "UserManagement"
| where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration")
| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
| extend FromIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetUPN = tostring(TargetResources[0].userPrincipalName)
| extend InitiatorID = tostring(InitiatedBy.user.id)
| summarize ModifiedAccounts = make_set(TargetUPN, 100), Start = min(TimeGenerated), End = max(TimeGenerated), Actions = make_set(OperationName, 10) by InitiatorID, InitiatorUPN, FromIP
| extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, "@")[1])
id: a3a09840-1022-4267-b9e1-d6c9799ed38a
name: Account MFA Modifications
description: |
'Identifies modifications to user's MFA settings. An attacker could use access to modify MFA settings to bypass MFA requirements or maintain persistence.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- DefenseEvasion
- Persistence
relevantTechniques:
- T1556.006
query: |
AuditLogs
| where Category =~ "UserManagement"
| where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration")
| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
| extend FromIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetUPN = tostring(TargetResources[0].userPrincipalName)
| extend InitiatorID = tostring(InitiatedBy.user.id)
| summarize ModifiedAccounts = make_set(TargetUPN, 100), Start = min(TimeGenerated), End = max(TimeGenerated), Actions = make_set(OperationName, 10) by InitiatorID, InitiatorUPN, FromIP
| extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: InitiatorID
- identifier: Name
columnName: InitiatorName
- identifier: UPNSuffix
columnName: InitiatorSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: FromIP
| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job Updates MFA Settings
Description: A legitimate scheduled job (e.g., AWS CloudFormation or Azure Automation) runs to update MFA settings for users during a provisioning process.
Filter/Exclusion: Check for job_id or task_name in the event context, or filter by source_ip associated with the automation service.
Scenario: Admin Task to Disable MFA for Internal Users
Description: An admin manually disables MFA for internal users during a routine access review (e.g., using Azure AD Admin Center or AWS IAM Console).
Filter/Exclusion: Include user_role or admin_id in the rule, or filter by user_principal_name that matches internal admin accounts.
Scenario: MFA Configuration via Third-Party Identity Provider (IdP)
Description: A third-party IdP (e.g., Okta, Microsoft Entra ID) updates MFA settings for users as part of a synchronization or configuration task.
Filter/Exclusion: Check for source_system or idp_name in the event, or filter by event_type related to IdP configuration.
Scenario: MFA Reset via Self-Service Portal
Description: A user resets their own MFA settings through a self-service portal (e.g., AWS IAM Console, Azure AD Self-Service Password Reset).
Filter/Exclusion: Include user_agent or requester_type indicating a user-initiated action, or filter by user_identity that matches known user accounts.
Scenario: MFA Configuration for Service Accounts
Description: A service account (e.g., AWS EC2 Instance Metadata Service, Azure Managed Identities) is configured with MFA as part of a security policy.