Techniques
Sample rules
Azure AD New MFA Method Registered For User
- source: splunk
- technicques:
- T1556.006
Description
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs to identify when a user registers new security information. This activity is significant because adversaries who gain unauthorized access to an account may add their own MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment.
Detection logic
`azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add
| rename properties.* as *
| rename targetResources{}.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY action dest user
src vendor_account vendor_product
user_agent result resultDescription
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_new_mfa_method_registered_for_user_filter`
AWS New MFA Method Registered For User
- source: splunk
- technicques:
- T1556.006
Description
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the CreateVirtualMFADevice event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches.
Detection logic
`cloudtrail` eventName=CreateVirtualMFADevice
| rename userName as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_new_mfa_method_registered_for_user_filter`
ASL AWS New MFA Method Registered For User
- source: splunk
- technicques:
- T1556.006
Description
The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the CreateVirtualMFADevice API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment.
Detection logic
`amazon_security_lake` api.operation=CreateVirtualMFADevice
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_new_mfa_method_registered_for_user_filter`