MITRE ATT&CK Technique
Description
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions) For example, modifying the Windows hosts file (`C:\windows\system32\drivers\etc\hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a "fail open" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2022-05-31T19:31:38.431Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may disable or modify multi-factor authentication '
'(MFA) mechanisms to enable persistent access to compromised '
'accounts.\n'
'\n'
'Once adversaries have gained access to a network by either '
'compromising an account lacking MFA or by employing an MFA '
'bypass method such as [Multi-Factor Authentication Request '
'Generation](https://attack.mitre.org/techniques/T1621), '
'adversaries may leverage their access to modify or completely '
'disable MFA defenses. This can be accomplished by abusing '
'legitimate features, such as excluding users from Azure AD '
'Conditional Access Policies, registering a new yet '
'vulnerable/adversary-controlled MFA method, or by manually '
'patching MFA programs and configuration files to bypass '
'expected functionality.(Citation: Mandiant APT42)(Citation: '
'Azure AD Conditional Access Exclusions)\n'
'\n'
'For example, modifying the Windows hosts file '
'(`C:\\windows\\system32\\drivers\\etc\\hosts`) to redirect '
'MFA calls to localhost instead of an MFA server may cause the '
'MFA process to fail. If a "fail open" policy is in place, any '
'otherwise successful authentication attempt may be granted '
'access without enforcing MFA. (Citation: Russians Exploit '
'Default MFA Protocol - CISA March 2022) \n'
'\n'
'Depending on the scope, goals, and privileges of the '
'adversary, MFA defenses may be disabled for individual '
'accounts or for all accounts tied to a larger group, such as '
"all domain accounts in a victim's network "
'environment.(Citation: Russians Exploit Default MFA Protocol '
'- CISA March 2022) ',
'external_references': [{'external_id': 'T1556.006',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1556/006'},
{'description': 'Cyber Security Infrastructure '
'Agency. (2022, March 15). Russian '
'State-Sponsored Cyber Actors Gain '
'Network Access by Exploiting Default '
'Multifactor Authentication Protocols '
'and “PrintNightmare” Vulnerability. '
'Retrieved May 31, 2022.',
'source_name': 'Russians Exploit Default MFA '
'Protocol - CISA March 2022',
'url': 'https://www.cisa.gov/uscert/ncas/alerts/aa22-074a'},
{'description': 'Mandiant. (n.d.). APT42: Crooked '
'Charms, Cons and Compromise. '
'Retrieved September 16, 2022.',
'source_name': 'Mandiant APT42',
'url': 'https://www.mandiant.com/media/17826'},
{'description': 'Microsoft. (2022, August 26). Use '
'Azure AD access reviews to manage '
'users excluded from Conditional '
'Access policies. Retrieved August '
'30, 2022.',
'source_name': 'Azure AD Conditional Access '
'Exclusions',
'url': 'https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion'}],
'id': 'attack-pattern--b4409cd8-0da9-46e1-a401-a241afd4d1cc',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-04-15T19:58:59.338Z',
'name': 'Multi-Factor Authentication',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Liran Ravich, CardinalOps',
'Muhammad Moiz Arshad, @5T34L7H',
'Arun Seelagan, CISA'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows',
'SaaS',
'IaaS',
'Linux',
'macOS',
'Office Suite',
'Identity Provider'],
'x_mitre_version': '1.4'}