newly onboarded users who are registering an mfa method for the first time will also trigger this detection.

Techniques

Sample rules

ASL AWS New MFA Method Registered For User

source: splunk
technicques:
- T1556
- T1556.006

Description

The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.

Detection logic

 `amazon_security_lake` api.operation=CreateVirtualMFADevice 
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `asl_aws_new_mfa_method_registered_for_user_filter`

Azure AD New MFA Method Registered For User

source: splunk
technicques:
- T1556
- T1556.006

Description

The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence.

Detection logic

 `azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add 
| rename properties.* as * 
| rename targetResources{}.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_new_mfa_method_registered_for_user_filter`

AWS New MFA Method Registered For User

source: splunk
technicques:
- T1556
- T1556.006

Description

The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.

Detection logic

 `cloudtrail` eventName=CreateVirtualMFADevice 
| stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_new_mfa_method_registered_for_user_filter`