Common Information
| Type | Value |
|---|---|
| Value |
Multi-Factor Authentication - T1556.006 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions) For example, modifying the Windows hosts file (`C:\windows\system32\drivers\etc\hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a "fail open" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2014-06-26 | 25 | Securing SSH with two factor authentication using Google Authenticator | ||
| Details | Website | 2014-05-12 | 1 | TechEd 2014 North America Announcement Summary | ||
| Details | Website | 2014-04-18 | 1 | Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs | Mandiant | ||
| Details | Website | 2013-12-12 | 0 | Security Professionals: Top Cyber Threat Predictions for 2014 - Microsoft Security Blog | ||
| Details | Website | 2013-06-24 | 0 | Risks of Default Passwords on the Internet | CISA | ||
| Details | Website | 2013-03-28 | 0 | Fast Password Cracking with a Huge Dictionary File and oclHashcat-Plus | ||
| Details | Website | 2013-03-11 | 0 | Rogue developers hiding Android malware in apps on Google Play | WeLiveSecurity | ||
| Details | Website | 2013-01-29 | 0 | The Application Delivery Firewall Paradigm | ||
| Details | Website | 2012-12-12 | 0 | Five Ways F5 Improves XenApp or XenDesktop Implementations | ||
| Details | Website | 2012-12-05 | 0 | Guarantee Delivery and Reliability of Citrix XenApp and XenDesktop | ||
| Details | Website | 2011-02-05 | 0 | DHS Best Practice for Remote Access Falls Short | ||
| Details | Website | 2010-02-05 | 95 | NIST Special Publication 800-63B | ||
| Details | Website | 2007-03-20 | 41 | Gozi Trojan Threat Analysis | ||
| Details | Website | — | 0 | Multi-factor authentication for online services | ||
| Details | Website | — | 0 | Stepping up to multi-factor authentication | ||
| Details | Website | — | 0 | Not all types of MFA are created equal... |