Description
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions)
For example, modifying the Windows hosts file (C:\windows\system32\drivers\etc\hosts) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a "fail open" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022)
Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022)
Platforms
Mitigations (3)
User Account ManagementM1018
Ensure that proper policies are implemented to dictate the secure enrollment and deactivation of MFA for user accounts.
AuditM1047
Review MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended. Review user accounts to ensure that all accounts have MFA enabled.(Citation: Mandiant Cloudy Logs 2023)
Multi-factor AuthenticationM1032
Ensure that MFA and MFA policies and requirements are properly implemented for existing and deactivated or dormant accounts and devices. If possible, consider configuring MFA solutions to "fail closed" rather than grant access in case of serious errors.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1015 | Scattered Spider | After compromising user accounts, [Scattered Spider](https://attack.mitre.org/groups/G1015) registers their own MFA tokens.(Citation: CISA Scattered S... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1104 | SLOWPULSE | Malware | [SLOWPULSE](https://attack.mitre.org/software/S1104) can insert malicious logic to bypass RADIUS and ACE two factor authentication (2FA) flows if a de... |
| S0677 | AADInternals | Tool | The [AADInternals](https://attack.mitre.org/software/S0677) `Set-AADIntUserMFA` command can be used to disable MFA for a specified user. |
References
- Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.
- Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.
- Microsoft. (2022, August 26). Use Azure AD access reviews to manage users excluded from Conditional Access policies. Retrieved August 30, 2022.
Frequently Asked Questions
What is T1556.006 (Multi-Factor Authentication)?
T1556.006 is a MITRE ATT&CK technique named 'Multi-Factor Authentication'. It belongs to the Defense Impairment, Persistence, Credential Access tactic(s). Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromi...
How can T1556.006 be detected?
Detection of T1556.006 (Multi-Factor Authentication) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1556.006?
There are 3 documented mitigations for T1556.006. Key mitigations include: User Account Management, Audit, Multi-factor Authentication.
Which threat groups use T1556.006?
Known threat groups using T1556.006 include: Scattered Spider.