Techniques
Sample rules
AWS Multi-Factor Authentication Disabled
- source: splunk
- technicques:
- T1586
- T1586.003
- T1621
- T1556
- T1556.006
Description
The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.
Detection logic
`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice)
| stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_multi_factor_authentication_disabled_filter`
ASL AWS Multi-Factor Authentication Disabled
- source: splunk
- technicques:
- T1586
- T1586.003
- T1621
- T1556
- T1556.006
Description
The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.
Detection logic
`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice)
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_multi_factor_authentication_disabled_filter`