LoFP / aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company

Techniques

• T1556
• T1556.006
• T1586
• T1586.003
• T1621

Sample rules

ASL AWS Multi-Factor Authentication Disabled

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1621
  • T1556
  • T1556.006

Description

The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for DeleteVirtualMFADevice or DeactivateMFADevice API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise.

Detection logic

`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region 
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `asl_aws_multi_factor_authentication_disabled_filter`

AWS Multi-Factor Authentication Disabled

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1621
  • T1556
  • T1556.006

Description

The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where MFA devices are deleted or deactivated. This activity is significant because disabling MFA can indicate an adversary attempting to weaken account security, potentially to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, posing a significant risk to the security and integrity of the cloud infrastructure.

Detection logic

`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) 
| stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_multi_factor_authentication_disabled_filter`