Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Authentication Methods Modified [RULE-1148]

This rule detects when a user or an administrator modifies authentication methods for a privileged account. This includes adding, removing, or changing multi-factor authentication (MFA) methods such as phone numbers, authenticator apps, or security keys. Changes to authentication methods on privileged accounts require immediate verification because they can indicate an attacker establishing persistence after compromising an account.

Rationale

After an attacker compromises an account, one of their first actions is often to register their own authentication method -- such as adding a new phone number or authenticator app for MFA. This technique is documented in MITRE ATT&CK as T1098.005 (Account Manipulation: Device Registration). By registering their own MFA method, the attacker ensures they can pass multi-factor authentication challenges even after the legitimate user's password is reset.

This is particularly dangerous for privileged accounts because these accounts have elevated access to sensitive data, administrative functions, and security configurations. If an attacker controls a privileged account's authentication methods, they can maintain persistent access to the tenant, modify security settings, create additional backdoors, and access confidential information.

Authentication method modifications on privileged accounts should be rare and always intentional. Every unexpected modification must be treated as a potential compromise until proven otherwise. Quick verification and response can prevent an attacker from locking out the legitimate user and maintaining long-term access.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the authentication method change was intentional: Contact the account owner and the initiating user (if different) to confirm whether the modification was planned and authorized. Review what specific method was added or changed.

    • If no: The modification was unauthorized and the account may be compromised:

      1. Immediately disable the affected account in Microsoft Entra ID to prevent further access.
      2. Revoke all active sessions for the user and remove any authentication methods that were added by the attacker.
      3. Reset the user's password and require the legitimate user to re-register their MFA methods through a secure, verified process.
      4. Review the account's recent activity in the Unified Audit Log (https://security.microsoft.com/auditlogsearch) for other signs of compromise such as mail forwarding rules, OAuth app consents, data access, or privilege escalation.
      5. Consider engaging Attic's IR team for a comprehensive investigation to determine the full scope of the compromise. An IR Credit Pack is required for this service.

    • If yes: The modification was intentional and authorized:

      1. Verify that the change complies with your organization's security policy for privileged account management.
      2. If acceptable: close the incident and document the approved change.

More information