Skip to content

Commit 9423779

Browse files
terrancedejesusDefSecSentinel
terrancedejesus
and
DefSecSentinel
authored
[New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration (#4626)
* adding new rule 'AWS IAM Virtual MFA Device Registration Attempt with Session Token' * updating rule --------- Co-authored-by: Colson Wilhoit <[email protected]>
1 parent 96c2d0c commit 9423779

File tree

1 file changed

+92
-0
lines changed

1 file changed

+92
-0
lines changed

rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
[metadata]
2+
creation_date = "2025/04/11"
3+
integration = ["aws"]
4+
maturity = "production"
5+
updated_date = "2025/04/15"
6+
7+
[rule]
8+
author = ["Elastic"]
9+
description = """
10+
Identifies attempts to register or enable an IAM Virtual MFA device using temporary credentials (access keys
11+
starting with 'ASIA'). This may indicate an adversary attempting to escalate privileges or establish persistence using
12+
stolen session tokens.
13+
"""
14+
false_positives = [
15+
"""
16+
Legitimate users or automation tools may register MFA devices using temporary session credentials, especially in
17+
CI/CD or administrative workflows. Validate the source IP, user agent, and context of the registration.
18+
""",
19+
]
20+
from = "now-9m"
21+
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22+
language = "kuery"
23+
license = "Elastic License v2"
24+
name = "AWS IAM Virtual MFA Device Registration Attempt with Session Token"
25+
note = """## Triage and Analysis
26+
27+
### Investigating AWS IAM Virtual MFA Device Registration Attempt with Session Token
28+
29+
AWS temporary security credentials that begin with `ASIA` indicate they are session tokens. An attempt to create or enable a Virtual MFA device using such credentials is uncommon and may indicate malicious activity.
30+
31+
#### Possible Investigation Steps
32+
33+
- **Identify the User**: Check `user.name`, `user.arn`, and `aws.cloudtrail.user_identity.*` fields to determine which IAM entity made the request.
34+
- **Check for Prior Reconnaissance or Access**: Correlate this event with any prior calls to `GetSessionToken`, `GetCallerIdentity`, or `ListUsers` to see if an adversary was enumerating IAM users.
35+
- **Source Context**: Review `source.ip`, `user_agent`, and `event.origin` to determine whether this came from a legitimate device or a suspicious endpoint (e.g., Kali, Mythic, unknown VPN).
36+
- **Validate MFA Setup**: Look for follow-up attempts to call `sts:get-session-token` or `iam:EnableMFADevice` using this same session.
37+
38+
### False Positive Analysis
39+
40+
- This may occur if an admin or automation tool is legitimately setting up a new MFA device using temporary credentials.
41+
- Review the IP, agent, and context to differentiate expected automation from unauthorized access.
42+
43+
### Response and Remediation
44+
45+
- **Revoke Credentials**: If unauthorized, revoke the access keys or terminate the session.
46+
- **Reset MFA and Passwords**: Rotate credentials for the affected IAM user.
47+
- **Review IAM Policies**: Limit permissions to register MFA devices to trusted roles only.
48+
- **Enable CloudTrail Alerts**: Monitor IAM changes more broadly with CloudTrail-based alerts.
49+
"""
50+
references = ["https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"]
51+
risk_score = 47
52+
rule_id = "e4feea34-3b62-4c83-b77f-018fbef48c00"
53+
severity = "medium"
54+
tags = [
55+
"Domain: Cloud",
56+
"Data Source: AWS",
57+
"Data Source: Amazon Web Services",
58+
"Data Source: AWS CloudTrail",
59+
"Data Source: AWS IAM",
60+
"Tactic: Persistence",
61+
"Use Case: Identity and Access Audit",
62+
"Resources: Investigation Guide",
63+
]
64+
timestamp_override = "event.ingested"
65+
type = "query"
66+
67+
query = '''
68+
event.dataset: "aws.cloudtrail"
69+
and event.provider: "iam.amazonaws.com"
70+
and event.action: ("CreateVirtualMFADevice" or "EnableMFADevice")
71+
and aws.cloudtrail.user_identity.access_key_id: ASIA*
72+
'''
73+
74+
75+
[[rule.threat]]
76+
framework = "MITRE ATT&CK"
77+
[[rule.threat.technique]]
78+
id = "T1098"
79+
name = "Account Manipulation"
80+
reference = "https://attack.mitre.org/techniques/T1098/"
81+
[[rule.threat.technique.subtechnique]]
82+
id = "T1098.005"
83+
name = "Device Registration"
84+
reference = "https://attack.mitre.org/techniques/T1098/005/"
85+
86+
87+
88+
[rule.threat.tactic]
89+
id = "TA0003"
90+
name = "Persistence"
91+
reference = "https://attack.mitre.org/tactics/TA0003/"
92+

0 commit comments

Comments
 (0)