Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0190: Detect MFA Modification or Disabling Across Platforms

This detection strategy matters because MFA changes can turn a single compromised account into durable access. Even though the ATT&CK detection object has...

EnterpriseDET0190Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because MFA changes can turn a single compromised account into durable access. Even though the ATT&CK detection object has no official detection text or platform list, its linked technique, T1556.006, is about adversaries disabling or modifying MFA to support persistence, defense impairment, and credential access. For leaders, the practical question is whether the organization can prove when MFA settings are changed, who approved the change, and whether those changes are reviewed quickly enough to prevent account-based intrusion from becoming a business disruption.

Executive priority

Treat MFA modification monitoring as an identity-control assurance issue, not only a SOC alert. Priority should go to privileged users, identity provider administration, cloud/IaaS administrative access, and any Linux or macOS contexts where the related technique applies. Executives should ask for evidence that MFA enrollment, reset, disablement, and policy changes are logged, reviewed, and tied to accountable change processes. This supports incident decision-making, audit readiness, and resilience against credential-based persistence.

Technical view

Because DET0190 provides no official detection logic, SOC and detection engineering teams should validate coverage from the relationship to T1556.006. Build or review detections for MFA being disabled, reset, bypassed, weakened, or modified across identity and administrative control planes. Prioritize events involving privileged accounts, recently compromised or suspicious accounts, unusual source locations, abnormal timing, and changes not linked to approved administration. IR teams should treat unauthorized MFA changes as potential evidence of persistence and credential-access activity, not just account hygiene noise.

Likely telemetry

  • Identity provider audit logs for MFA enrollment, reset, disablement, and policy changes
  • Cloud/IaaS administrative audit logs where MFA or authentication policy can be modified
  • Privileged account management and directory administration logs
  • Authentication logs before and after MFA changes, including successful logons following modification
  • Change-management records or ticketing evidence for authorized MFA administration

Detection direction

  • Confirm that MFA modification events are collected with actor, target account, timestamp, source, method, and administrative context.
  • Correlate MFA changes with privilege level, recent suspicious authentication, impossible or unusual access patterns, and absence of an approved change record.
  • Tune detections to distinguish expected help desk or identity administration workflows from unusual self-service changes, bulk changes, or changes to high-value accounts.
  • Review blind spots where MFA settings are managed outside the central identity provider, across cloud/IaaS services, or on platforms covered by the related technique but not consistently logged.
  • Use the linked tactics—defense impairment, persistence, and credential access—to escalate unauthorized MFA changes during triage.

Mitigation priorities

  • Ensure MFA configuration changes require appropriate administrative authorization and are logged centrally.
  • Restrict who can disable, reset, or modify MFA controls, especially for privileged and cloud administrative accounts.
  • Require change approval or documented business justification for MFA policy and enrollment modifications.
  • Regularly review MFA change logs for privileged users and accounts with broad access.
  • During incident response, rotate credentials and revalidate MFA settings for affected accounts before considering identity access restored.
Analyst notes and limits

The source object is a detection strategy, not a full technique description. MITRE provides the name and external reference for DET0190 but no official description, detection text, tactics, or platforms on the detection object itself. The strongest available context comes from its relationship to T1556.006, Multi-Factor Authentication, which identifies the behavior as relevant to defense impairment, persistence, and credential access across IaaS, Identity Provider, Linux, and macOS contexts.

This take cannot assert specific detection coverage, vendor events, active exploitation, attribution, or affected customer environments. Local validation is required to determine where MFA can be modified, which logs are retained, whether changes are tied to approvals, and how consistently identity and cloud telemetry reach the SOC.

Official MITRE ATT&CK definition

Detect MFA Modification or Disabling Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1556.006 Multi-Factor Authentication Sub-technique This object detects Multi-Factor Authentication.
Relationship explorer

All related ATT&CK context

detects · Technique T1556.006: Multi-Factor Authentication Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
882fcadf75747de5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 882fcadf7574…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0190
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use