AWS Virtual MFA Device Registration Attempt
An adversary attempts to register a virtual MFA device to an AWS account, potentially leading to account takeover and unauthorized access to resources.
This threat brief focuses on the potential for an adversary to register a virtual Multi-Factor Authentication (MFA) device with an AWS account they have compromised, or are attempting to compromise. While the source document is merely a pointer to a detection rule repository and not a threat advisory, the capability to monitor for virtual MFA registration can alert on account takeover attempts. Attackers can leverage compromised credentials or other vulnerabilities to gain initial access, then attempt to add their own MFA device, bypassing existing security controls and establishing persistent access. This action allows the attacker to control the account even if the original password is changed or other security measures are put in place. Early detection of this behavior is crucial to preventing further damage.
Attack Chain
- Initial Access: The attacker gains access to AWS account credentials through phishing, credential stuffing, or other means.
- Login Attempt: The attacker attempts to log into the AWS Management Console or uses the AWS CLI with the compromised credentials.
- Verification Check: The system prompts for MFA if enabled for the user. If not enabled, the attacker proceeds to enable it.
- Register MFA: The attacker initiates the process of registering a new virtual MFA device within the AWS IAM settings.
- QR Code/Secret Key Retrieval: The attacker retrieves the QR code or secret key required to activate the virtual MFA device on their own device.
- Virtual MFA Activation: The attacker uses an authenticator app (e.g., Google Authenticator, Authy) to scan the QR code or manually enters the secret key, generating a time-based one-time password (TOTP).
- MFA Verification: The attacker enters the TOTP into the AWS console to successfully register the virtual MFA device.
- Persistence: The attacker now has persistent access to the AWS account, bypassing original MFA configuration and maintains access even if the password changes.
Impact
A successful registration of a rogue virtual MFA device grants the attacker persistent access to the AWS account. This can lead to unauthorized access to sensitive data, modification of AWS resources, deployment of malicious workloads, or even complete account takeover, resulting in significant financial loss, data breaches, and reputational damage. Organizations in all sectors that rely on AWS infrastructure are vulnerable.
Recommendation
- Deploy the provided Sigma rule "Detect AWS Virtual MFA Device Registration" to your SIEM and tune for your environment to alert on successful registrations.
- Monitor AWS CloudTrail logs for
CreateVirtualMFADeviceevents to detect the creation of new virtual MFA devices (reference log source in Sigma rule). - Investigate any alerts generated by the Sigma rule by validating the source IP addresses and user agents associated with MFA device registration attempts.
Detection coverage 2
Detect AWS Virtual MFA Device Registration
highDetects when a virtual MFA device is registered in AWS, which could indicate an account takeover attempt.
Detect AWS MFA Deletion followed by Creation
mediumDetects the deletion of a virtual MFA device followed by the creation of a new one within a short timeframe, which might indicate malicious activity.
Detection queries are available on the platform. Get full rules →