Azure AD New MFA Method Registered For User
An adversary may register a new MFA method in Azure AD on a compromised account to maintain persistence and bypass existing security controls.
This analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. This activity, sourced from Azure AD AuditLogs, identifies when a user registers new security information. Attackers who gain unauthorized access to an account may add their own MFA method to maintain persistence, even after the original owner resets their password. This allows attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment. Defenders should investigate any unexpected MFA registrations, especially for privileged accounts.
Attack Chain
- The attacker gains initial access to an Azure AD account through password spraying, phishing, or other credential compromise techniques.
- The attacker logs into the compromised Azure AD account.
- The attacker navigates to the Azure AD security settings.
- The attacker initiates the registration of a new MFA method (e.g., Microsoft Authenticator app, phone number).
- Azure AD AuditLogs record the "User registered security info" event with operationType "Add".
- The attacker completes the MFA registration process.
- The attacker can now use the newly registered MFA method to authenticate to the compromised account, even if the original password is changed.
- The attacker uses the persistent access to perform further malicious activities, such as data exfiltration or privilege escalation.
Impact
Successful registration of a new MFA method by an attacker leads to persistent access to the compromised Azure AD account. This can lead to unauthorized access to sensitive data, lateral movement within the organization's cloud environment, and potential privilege escalation. The number of victims depends on the scope of the initial compromise, and the potential damage includes data breaches, financial loss, and reputational damage.
Recommendation
- Deploy the Sigma rule
Azure AD New MFA Method Registered For Userto your SIEM and tune for your environment to detect suspicious MFA registrations. - Investigate any alerts generated by the
Azure AD New MFA Method Registered For Userrule, especially for privileged accounts. - Monitor Azure AD AuditLogs for "User registered security info" events with operationType "Add" to identify potentially malicious MFA registrations.
- Implement strong password policies and MFA enrollment campaigns to reduce the risk of initial credential compromise.
- Consider conditional access policies that restrict MFA registration to trusted devices and locations.
Detection coverage 2
Azure AD New MFA Method Registered For User
highDetects the registration of a new MFA method for a user account in Azure AD, which could indicate malicious activity.
Azure AD MFA Registration from Unusual Location
mediumDetects MFA registration from an unusual geographical location for a user.
Detection queries are available on the platform. Get full rules →