Name:AWS Multi-Factor Authentication Disabled id:374832b1-3603-420c-b456-b373e24d34c0 version:3 date:2024-09-30 author:Bhavin Patel, Splunk status:production type:TTP Description:The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where MFA devices are deleted or deactivated. This activity is significant because disabling MFA can indicate an adversary attempting to weaken account security, potentially to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, posing a significant risk to the security and integrity of the cloud infrastructure. Data_source:
-AWS CloudTrail DeleteVirtualMFADevice
-AWS CloudTrail DeactivateMFADevice
search:`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`
how_to_implement:The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives:AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company References: -https://attack.mitre.org/techniques/T1621/ -https://aws.amazon.com/what-is/mfa/ drilldown_searches: name:'View the detection results for - "$aws_account_id$" and "$user_name$"' search:'%original_detection_search% | search aws_account_id = "$aws_account_id$" user_name = "$user_name$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$aws_account_id$" and "$user_name$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$", "$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'AWS Identity and Access Management Account Takeover' asset_type:AWS Account confidence:80 impact:80 message:User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ mitre_attack_id: - 'T1586' - 'T1586.003' - 'T1621' - 'T1556' - 'T1556.006' observable: name:'aws_account_id' type:'Other' - role: - 'Victim' name:'user_name' type:'User' - role: - 'Victim' name:'src' type:'IP Address' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'src' - 'eventName' - 'eventSource' - 'aws_account_id' - 'errorCode' - 'errorMessage' - 'userAgent' - 'eventID' - 'awsRegion' - 'user_name' - 'userIdentity.arn' risk_score:64 security_domain:threat
