Show in Graph
Common Information
Type Value
Value 
Multi-Factor Authentication - T1556.006
Category Attack-Pattern
Type Mitre-Attack-Pattern
Misp Type Cluster
Description Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions) For example, modifying the Windows hosts file (`C:\windows\system32\drivers\etc\hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a "fail open" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022)
Details Published Attributes CTI Title
Details Website 2018-08-20 307 Vulnerability Summary for the Week of August 13, 2018 | CISA
Details Website 2018-08-15 2 A Look at Auth0 Cloud Architecture: 5 Years In
Details Website 2018-08-14 4 Multi-Factor Mixup: Who Were You Again?
Details Website 2018-08-12 0 Black Hat & DEF CON Presentation Slides Posted
Details Website 2018-08-02 0 InfoSec’s fantastic fear of everything — why the Reddit incident shouldn’t cause InfoSec to throw…
Details Website 2018-07-31 0 SamSam: The (almost) $6 million ransomware
Details Website 2018-07-26 14 Attack inception: Compromised supply chain within a supply chain poses new risks - Microsoft Security Blog
Details Website 2018-07-25 0 Authentication As a Service: Architecture, Technologies, and Solutions | Apriorit
Details Website 2018-07-25 0 What Harry Potter Teaches Us about Constant Vigilance and Insider Threats
Details Website 2018-07-17 0 Six Things your Enterprise Needs to Learn from the DNC Hacking Indictment
Details Website 2018-07-15 1 Forensic Cyberpsychology: Profiling the Next-Generation Cybercriminal
Details Website 2018-07-12 0 Data Breaches in Retail over the Last Two Years
Details Website 2018-07-11 32 Passing-the-Hash to NTLM Authenticated Web Applications
Details Website 2018-06-23 0 Password Security
Details Website 2018-06-14 0 Building Zero Trust networks with Microsoft 365 - Microsoft Security Blog
Details Website 2018-05-29 5 Remote Authentication GeoFeasibility Tool - GeoLogonalyzer | Mandiant
Details Website 2018-05-26 2 T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account – Krebs on Security
Details Website 2018-05-22 0 YubiKey comes to iPhone with Mobile SDK for iOS and LastPass support
Details Website 2018-05-17 0 Get Your Online Privacy Under Control | McAfee Blog
Details Website 2018-05-16 0 CISSP Practice Exam: Free Online Sample Questions
Details Website 2018-05-14 0 Building Cybersecurity from the Ground Up — Part 2: The Technology Basics
Details Website 2018-05-13 0 Has Your Email Been Hacked?
Details Website 2018-05-04 0 Russia Attacks Global Network Infrastructure Through Vulnerabilities That Extend Far Beyond Their Targets
Details Website 2018-05-03 9 Adding Salt to Hashing: A Better Way to Store Passwords
Details Website 2018-05-03 14 Microsoft Identity Bounty | MSRC