Update T1112.yaml (Update Disable FIDO Authentication) (#2626)

Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Dec 4, 2023 · 0e7356b · 0e7356b
1 parent d8b3cef
commit 0e7356b
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
@@ -946,3 +946,15 @@ atomic_tests:
     cleanup_command: |
       reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
     name: command_prompt
+- name: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
+  description: |
+    Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
+    See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 1 /f
+    name: command_prompt