mfa device deactivation may occur legitimately during device rotation, user offboarding, or troubleshooting. for example, aws requires deactivation of an existing mfa device before adding a replacement. these actions are often performed by administrators following approved change-control processes. to reduce false positives, validate whether the deactivation aligns with a documented workflow, known device replacement, or expected maintenance window. if performed outside of expected operational hours, by an unexpected user, or from an unfamiliar source ip, this event should be investigated for potential credential compromise or unauthorized tampering.

t1531
t1556
aws
elastic

Techniques

T1531
T1556

Sample rules

AWS IAM Deactivation of MFA Device

source: elastic
technicques:
- T1531
- T1556

Description

Detects the deactivation of a Multi-Factor Authentication (MFA) device in AWS Identity and Access Management (IAM). MFA provides critical protection against unauthorized access by requiring a second factor for authentication. Adversaries or compromised administrators may deactivate MFA devices to weaken account protections, disable strong authentication, or prepare for privilege escalation or persistence. This rule monitors successful DeactivateMFADevice API calls, which represent the point at which MFA protection is actually removed.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: iam.amazonaws.com 
    and event.action: DeactivateMFADevice 
    and event.outcome: success