T1556.006: Multi-Factor Authentication

T1556.006: Multi-Factor Authentication

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authenticati...

View on MITRE ATT&CK →

Azure Admin Registered Security Info

Records an administrator registering authentication methods (e.g., MFA) on behalf of another user in Entra ID.

Cloud Service: Azure - Microsoft Entra ID

Tactics:

Persistence

Techniques:

T1556.006T1098

Tags:

Azure Microsoft Entra ID

AWS DeactivateMFADevice

Deactivates an MFA device associated with an IAM user, removing the MFA requirement for their authentication.

Cloud Service: AWS - IAM

Tactics:

Defense Evasion

Techniques:

T1556.006

Tags:

AWS IAM

Azure Update User Authentication Methods

Changes the MFA or passwordless authentication methods registered for a user in Microsoft Entra ID.

Cloud Service: Azure - Microsoft Entra ID

Tactics:

Persistence Defense Evasion

Techniques:

T1556.006T1098

Tags:

Azure Microsoft Entra ID