Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Defense Evasion/ T1556.006

T1556.006Multi-Factor Authentication

T1556.006 — Multi-Factor Authentication is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 15 detection use cases covering it and 3 threat-intel articles citing it.

Defense EvasionPersistenceCredential Access
View on the matrix → Filter Detection Library MITRE official spec ↗
15Use cases
3Articles
0Sub-techniques
3Tactics
↑ Parent technique: T1556 · Modify Authentication Process

Use cases covering this technique (15)

Okta Multi-Factor Authentication Disabled ESCU actions · alerting P PingID Mismatch Auth Source and Verification Response ESCU actions · alerting P PingID New MFA Method After Credential Reset ESCU actions · alerting P PingID New MFA Method Registered For User ESCU actions · alerting P ASL AWS Multi-Factor Authentication Disabled ESCU actions · alerting P ASL AWS New MFA Method Registered For User ESCU actions · alerting P AWS Multi-Factor Authentication Disabled ESCU actions · alerting P AWS New MFA Method Registered For User ESCU actions · alerting P Azure AD Multi-Factor Authentication Disabled ESCU actions · alerting P Azure AD New MFA Method Registered For User ESCU actions · alerting P GCP Multi-Factor Authentication Disabled ESCU actions · alerting P [LLM] Bling Libra: Entra device join immediately after vishing-driven MFA registration Bespoke install · alerting DSPDD [LLM] phpMyFAQ /admin/check unauthenticated TOTP brute-force (CVE GHSA-9pq7-mfwh-xx2j) Bespoke exploit · alerting SP [LLM] phpMyFAQ 2FA bypass success: /admin/check brute burst followed by authenticated /admin/ access Bespoke install · alerting SP [LLM] Iran-aligned MFA push-bombing followed by new auth method registered (AA24-290A) Bespoke actions · alerting DSP

Articles citing this technique (3)

crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193
crit [GHSA / CRITICAL] GHSA-6626-79jh-5ccr: Duplicate Advisory: phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptan art-280
crit Cyber fallout from the Iran war: What to have on your radar art-474