Techniques
Sample rules
ASL AWS New MFA Method Registered For User
- source: splunk
- technicques:
- T1556
- T1556.006
Description
The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.
Detection logic
`amazon_security_lake` api.operation=CreateVirtualMFADevice
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_new_mfa_method_registered_for_user_filter`
Azure AD New MFA Method Registered For User
- source: splunk
- technicques:
- T1556
- T1556.006
Description
The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence.
Detection logic
`azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add
| rename properties.* as *
| rename targetResources{}.* as *
| stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_new_mfa_method_registered_for_user_filter`
AWS New MFA Method Registered For User
- source: splunk
- technicques:
- T1556
- T1556.006
Description
The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.
Detection logic
`cloudtrail` eventName=CreateVirtualMFADevice
| stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_new_mfa_method_registered_for_user_filter`