LoFP / aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company

Techniques

• T1556.006
• T1586.003
• T1621

Sample rules

AWS Multi-Factor Authentication Disabled

• source: splunk
• technicques:
  • T1556.006
  • T1586.003
  • T1621

Description

The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where MFA devices are deleted or deactivated. This activity is significant because disabling MFA can indicate an adversary attempting to weaken account security, potentially to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, posing a significant risk to the security and integrity of the cloud infrastructure.

Detection logic

`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) 
| rename user_name as user 
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_multi_factor_authentication_disabled_filter`

ASL AWS Multi-Factor Authentication Disabled

• source: splunk
• technicques:
  • T1556.006
  • T1586.003
  • T1621

Description

The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for DeleteVirtualMFADevice or DeactivateMFADevice API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise.

Detection logic

`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region 
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `asl_aws_multi_factor_authentication_disabled_filter`