{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/deactivation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Identity and Access Management"],"_cs_severities":["medium"],"_cs_tags":["aws","iam","mfa","deactivation","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of Multi-Factor Authentication (MFA) device deactivation within AWS Identity and Access Management (IAM). Adversaries, or compromised administrators, may attempt to deactivate MFA devices to weaken account protections, disable strong authentication, and potentially escalate privileges or establish persistence within the AWS environment. The detection strategy hinges on monitoring successful \u003ccode\u003eDeactivateMFADevice\u003c/code\u003e API calls, which represent the event when MFA protection is actively removed from an IAM user. Successful deactivation of MFA makes an AWS account more vulnerable to credential theft and unauthorized access, especially for privileged accounts. Defenders need to be aware of legitimate MFA deactivation events like device rotation or user offboarding, which can cause false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of an IAM user's credentials through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eAttacker logs into the AWS environment using compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker enumerates MFA devices associated with the target IAM user by using API calls like \u003ccode\u003eListMFADevices\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker calls \u003ccode\u003eDeactivateMFADevice\u003c/code\u003e to remove the MFA requirement for the targeted user.\u003c/li\u003e\n\u003cli\u003eThe AWS IAM service processes the \u003ccode\u003eDeactivateMFADevice\u003c/code\u003e request and, if authorized based on the attacker's privileges, removes the MFA association.\u003c/li\u003e\n\u003cli\u003eAttacker may then create new access keys (\u003ccode\u003eCreateAccessKey\u003c/code\u003e) or modify IAM policies (\u003ccode\u003eAttachUserPolicy\u003c/code\u003e) to further their access.\u003c/li\u003e\n\u003cli\u003eAttacker accesses sensitive AWS resources, such as S3 buckets or EC2 instances, without MFA.\u003c/li\u003e\n\u003cli\u003eAttacker establishes persistence by creating backdoors or modifying IAM roles to maintain access after the initial compromise is detected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful MFA deactivation can lead to unauthorized access to sensitive data, service disruption, or complete account takeover. The impact is magnified when privileged accounts are targeted. The lack of MFA significantly reduces the security posture of the affected AWS account, making it easier for attackers to move laterally within the AWS environment and exfiltrate data. Organizations relying heavily on AWS services could face significant financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS IAM MFA Deactivation\u003c/code\u003e to detect successful \u003ccode\u003eDeactivateMFADevice\u003c/code\u003e API calls (see rule below).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeactivateMFADevice\u003c/code\u003e events by reviewing \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003esource.ip\u003c/code\u003e to determine the initiator and origin.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging and monitor for IAM configuration changes, focusing on events related to MFA device management.\u003c/li\u003e\n\u003cli\u003eEnforce MFA for all IAM users, particularly those with elevated privileges, using service control policies (SCPs).\u003c/li\u003e\n\u003cli\u003eImplement automated alerts for unusual IAM activity, such as MFA deactivation outside of business hours or from unfamiliar IP addresses.\u003c/li\u003e\n\u003cli\u003eReview CloudTrail logs for related API calls like \u003ccode\u003eListMFADevices\u003c/code\u003e, \u003ccode\u003eCreateAccessKey\u003c/code\u003e, or \u003ccode\u003eAttachUserPolicy\u003c/code\u003e following the \u003ccode\u003eDeactivateMFADevice\u003c/code\u003e event.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-iam-mfa-deactivation/","summary":"Detection of AWS IAM MFA device deactivation via the `DeactivateMFADevice` API call, which could indicate an attempt to weaken account protections for privilege escalation or persistence.","title":"AWS IAM MFA Device Deactivation","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-iam-mfa-deactivation/"}],"language":"en","title":"CraftedSignal Threat Feed - Deactivation","version":"https://jsonfeed.org/version/1.1"}