Techniques
Sample rules
AWS New MFA Method Registered For User
- source: splunk
- technicques:
- T1556.006
Description
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the CreateVirtualMFADevice
event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches.
Detection logic
`cloudtrail` eventName=CreateVirtualMFADevice
| rename userName as user
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_new_mfa_method_registered_for_user_filter`
Azure AD New MFA Method Registered For User
- source: splunk
- technicques:
- T1556.006
Description
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs to identify when a user registers new security information. This activity is significant because adversaries who gain unauthorized access to an account may add their own MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment.
Detection logic
`azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add
| rename properties.* as *
| rename targetResources{}.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by action dest user src vendor_account vendor_product user_agent result resultDescription signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_new_mfa_method_registered_for_user_filter`
ASL AWS New MFA Method Registered For User
- source: splunk
- technicques:
- T1556.006
Description
The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the CreateVirtualMFADevice
API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment.
Detection logic
`amazon_security_lake` api.operation=CreateVirtualMFADevice
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_new_mfa_method_registered_for_user_filter`