AWS IAM Virtual MFA Device Registration Attempt with Session Token
An adversary with compromised temporary AWS credentials attempts to establish persistence by creating or enabling a virtual MFA device, bypassing expected session token usage.
This detection identifies attempts to create or enable a Virtual MFA device (CreateVirtualMFADevice, EnableMFADevice) using temporary AWS credentials (access keys beginning with ASIA). These session tokens, generated by the AWS Security Token Service (STS), are intended for short-lived operations and should not be used to modify IAM authentication mechanisms. An adversary who has compromised temporary credentials may attempt to establish persistence by attaching new MFA devices to high-privilege accounts. This allows them to maintain access even after key rotation or password resets. This activity is unusual as session credentials should not be used for these operations and could indicate malicious activity. The rule automatically excludes console login sessions to reduce false positives.
Attack Chain
- An attacker compromises temporary AWS credentials (ASIA prefix) through methods like exploiting a vulnerable application or phishing.
- The attacker uses the compromised temporary credentials to authenticate to the AWS API.
- The attacker attempts to create a new virtual MFA device using the
CreateVirtualMFADeviceAPI call, specifying a device name. - The attacker then attempts to enable the newly created MFA device for a target IAM user using the
EnableMFADeviceAPI call, associating the device with the user's account. - If successful, the attacker now has an MFA device associated with the target user, which they control.
- The attacker can leverage the newly registered MFA device to authenticate as the target user, even if the original credentials are rotated.
- The attacker uses the persistent access to escalate privileges, access sensitive data, or perform other malicious activities within the AWS environment.
Impact
Successful exploitation allows attackers to maintain persistent access to AWS accounts, even after password resets or key rotations. This can lead to unauthorized access to sensitive data, privilege escalation, and disruption of services. While the specific number of victims is unknown, this technique can impact any organization using AWS that relies on temporary credentials and does not adequately monitor IAM activity. A successful attack allows the adversary to maintain a foothold within the environment, making remediation more complex and costly.
Recommendation
- Deploy the Sigma rule "AWS IAM Virtual MFA Device Registration Attempt with Session Token" to your SIEM to detect this activity and tune for your environment.
- Enforce the
iam:EnableMFADeviceandiam:CreateVirtualMFADevicepermissions only for trusted admin roles as mentioned in the overview. - Monitor for any future
ASIAcredential–based IAM configuration changes to detect similar persistence attempts, referencing the overview. - Implement
aws:MultiFactorAuthPresentconditions in IAM policies as recommended in the source material. - Investigate alerts from the Sigma rule by reviewing CloudTrail logs for related IAM modifications (
UpdateLoginProfile,AttachUserPolicy,CreateAccessKey).
Detection coverage 2
AWS IAM Virtual MFA Device Registration Attempt with Session Token
mediumDetects attempts to create or enable a Virtual MFA device using temporary AWS credentials (ASIA prefix) outside of console login sessions.
AWS IAM MFA Device Deletion or Deactivation with Session Token
mediumDetects attempts to delete or deactivate a Virtual MFA device using temporary AWS credentials (ASIA prefix).
Detection queries are available on the platform. Get full rules →