Skip to content
Threat Feed
medium advisory

AWS IAM Virtual MFA Device Registration Attempt with Session Token

An adversary with compromised temporary AWS credentials attempts to establish persistence by creating or enabling a virtual MFA device, bypassing expected session token usage.

This detection identifies attempts to create or enable a Virtual MFA device (CreateVirtualMFADevice, EnableMFADevice) using temporary AWS credentials (access keys beginning with ASIA). These session tokens, generated by the AWS Security Token Service (STS), are intended for short-lived operations and should not be used to modify IAM authentication mechanisms. An adversary who has compromised temporary credentials may attempt to establish persistence by attaching new MFA devices to high-privilege accounts. This allows them to maintain access even after key rotation or password resets. This activity is unusual as session credentials should not be used for these operations and could indicate malicious activity. The rule automatically excludes console login sessions to reduce false positives.

Attack Chain

  1. An attacker compromises temporary AWS credentials (ASIA prefix) through methods like exploiting a vulnerable application or phishing.
  2. The attacker uses the compromised temporary credentials to authenticate to the AWS API.
  3. The attacker attempts to create a new virtual MFA device using the CreateVirtualMFADevice API call, specifying a device name.
  4. The attacker then attempts to enable the newly created MFA device for a target IAM user using the EnableMFADevice API call, associating the device with the user's account.
  5. If successful, the attacker now has an MFA device associated with the target user, which they control.
  6. The attacker can leverage the newly registered MFA device to authenticate as the target user, even if the original credentials are rotated.
  7. The attacker uses the persistent access to escalate privileges, access sensitive data, or perform other malicious activities within the AWS environment.

Impact

Successful exploitation allows attackers to maintain persistent access to AWS accounts, even after password resets or key rotations. This can lead to unauthorized access to sensitive data, privilege escalation, and disruption of services. While the specific number of victims is unknown, this technique can impact any organization using AWS that relies on temporary credentials and does not adequately monitor IAM activity. A successful attack allows the adversary to maintain a foothold within the environment, making remediation more complex and costly.

Recommendation

  • Deploy the Sigma rule "AWS IAM Virtual MFA Device Registration Attempt with Session Token" to your SIEM to detect this activity and tune for your environment.
  • Enforce the iam:EnableMFADevice and iam:CreateVirtualMFADevice permissions only for trusted admin roles as mentioned in the overview.
  • Monitor for any future ASIA credential–based IAM configuration changes to detect similar persistence attempts, referencing the overview.
  • Implement aws:MultiFactorAuthPresent conditions in IAM policies as recommended in the source material.
  • Investigate alerts from the Sigma rule by reviewing CloudTrail logs for related IAM modifications (UpdateLoginProfile, AttachUserPolicy, CreateAccessKey).

Detection coverage 2

AWS IAM Virtual MFA Device Registration Attempt with Session Token

medium

Detects attempts to create or enable a Virtual MFA device using temporary AWS credentials (ASIA prefix) outside of console login sessions.

sigma tactics: persistence techniques: T1098.005, T1556.006 sources: cloudtrail, aws

AWS IAM MFA Device Deletion or Deactivation with Session Token

medium

Detects attempts to delete or deactivate a Virtual MFA device using temporary AWS credentials (ASIA prefix).

sigma tactics: persistence techniques: T1098.005 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →