LoFP / some legitimate administrative workflows or ci/cd automation pipelines may temporarily configure or re-enable mfa devices using session-based credentials. validate the calling identity’s purpose, source ip, and user agent to confirm whether this activity was authorized. this rule automatically excludes console login sessions, which filters out expected mfa operations performed via the aws management console.

Techniques

• T1098
• T1556

Sample rules

AWS IAM Virtual MFA Device Registration Attempt with Session Token

• source: elastic
• technicques:
  • T1098
  • T1556

Description

Detects attempts to create or enable a Virtual MFA device (CreateVirtualMFADevice, EnableMFADevice) using temporary AWS credentials (access keys beginning with ASIA). Session credentials are short-lived and tied to existing authenticated sessions, so using them to register or enable MFA devices is unusual. Adversaries who compromise temporary credentials may abuse this behavior to establish persistence by attaching new MFA devices to maintain access to high-privilege accounts despite key rotation or password resets.

Detection logic

iam where event.dataset == "aws.cloudtrail"
  and event.provider == "iam.amazonaws.com"
  and event.outcome == "success"
  and event.action in ("CreateVirtualMFADevice", "EnableMFADevice")
  and startsWith (aws.cloudtrail.user_identity.access_key_id, "ASIA")
  and not aws.cloudtrail.session_credential_from_console == "true"