Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0246: Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying

DET0246 is a MITRE detection strategy for identifying MFA interception through input capture and smart card proxying, mapped to ATT&CK technique T1111: Mul...

EnterpriseDET0246Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0246 is a MITRE detection strategy for identifying MFA interception through input capture and smart card proxying, mapped to ATT&CK technique T1111: Multi-Factor Authentication Interception. Its business significance is that MFA can reduce password-only risk, but it is not a complete control if attackers can intercept authentication material or proxy smart card use. Leaders should treat this as an identity assurance and incident readiness issue: confirm whether the organization can detect suspicious MFA-related credential access activity, not merely prove MFA is deployed.

Executive priority

Prioritize this where privileged access, smart card authentication, or high-value remote access depends on MFA. The key decision is whether identity controls are backed by evidence that SOC and IR teams can investigate when MFA is challenged, intercepted, or bypassed. This supports resilience, audit defensibility, and incident decision-making by showing whether MFA events, endpoint activity, and authentication context can be correlated during suspected credential access.

Technical view

MITRE provides no official description or detection logic for DET0246, so defenders should anchor validation to the related technique T1111 under Credential Access. SOC and detection teams should test whether they can correlate authentication activity with endpoint evidence on Linux, macOS, and Windows where relevant to local MFA/smart card deployments. Useful validation questions include: can analysts distinguish normal MFA or smart card use from unusual proxying patterns, unexpected credential prompts, suspicious input-capture behavior, or authentication attempts inconsistent with the user, device, or session context?

Likely telemetry

  • Identity provider and authentication logs for MFA challenges, successes, failures, device context, and session metadata
  • Smart card, certificate, or hardware-token authentication events where deployed
  • Endpoint security telemetry from Linux, macOS, and Windows systems associated with authentication workflows
  • Process, driver, input, or local security events that may help investigate input-capture behavior
  • Remote access, VPN, SSO, and privileged access logs tied to MFA-protected services

Detection direction

  • Because MITRE does not provide DET0246 detection text, start by mapping existing detections to T1111 and documenting which MFA interception scenarios are and are not covered.
  • Validate correlation between MFA events and endpoint/session context rather than relying on identity logs alone.
  • Tune for high-risk context such as privileged users, administrative systems, smart card use, unusual device changes, impossible or inconsistent session context, and repeated MFA anomalies.
  • Review false positives from legitimate smart card middleware, remote administration, help desk activity, and normal MFA retries.
  • Identify blind spots where MFA logs are retained but not ingested into the SOC, or where endpoint telemetry is unavailable for systems participating in authentication.

Mitigation priorities

  • Inventory MFA and smart card authentication paths for high-value systems and privileged accounts.
  • Ensure authentication, endpoint, and remote access telemetry is collected with sufficient retention for incident response.
  • Require detection engineering to document coverage against T1111 rather than treating MFA deployment as sufficient evidence of control.
  • Prioritize investigation playbooks that correlate user, device, authentication, and endpoint activity during suspected MFA interception.
  • Use compliance and risk reviews to verify that MFA assurance includes monitoring and response evidence, not only policy configuration.
Analyst notes and limits

This take is based on the DET0246 detection strategy metadata and its relationship to T1111 Multi-Factor Authentication Interception. The DET0246 object itself does not specify platforms, tactics, description, or detection logic. Platform references to Linux, macOS, and Windows come from the related T1111 technique, not from DET0246 directly.

The supplied ATT&CK fields are sparse and include no official DET0246 detection procedure. Local MFA architecture, identity provider logs, endpoint coverage, smart card deployment details, and SOC retention determine what can actually be detected. No active exploitation, actor attribution, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1111 Multi-Factor Authentication Interception This object detects Multi-Factor Authentication Interception.
Relationship explorer

All related ATT&CK context

detects · Technique T1111: Multi-Factor Authentication Interception Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d7fe81bb2f3f8ed5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d7fe81bb2f3f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0246
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use