/
asl_aws_multi_factor_authentication_disabled.yml
70 lines (70 loc) · 3.09 KB
/
asl_aws_multi_factor_authentication_disabled.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: ASL AWS Multi-Factor Authentication Disabled
id: 4d2df5e0-1092-4817-88a8-79c7fa054668
version: 2
date: '2024-02-13'
author: Patrick Bareiss, Splunk
status: production
type: TTP
description: The following analytic detects when multi-factor authentication (MFA) is disabled for an AWS IAM user. It operates by monitoring for
specific API calls that deactivate MFA, signaling a potential unauthorized attempt to weaken account security. This behavior is critical for a
Security Operations Center (SOC) to identify, as disabling MFA removes a significant barrier against unauthorized access, making accounts more
vulnerable to compromise. The impact of such an attack is substantial, as it allows adversaries to maintain access within the environment with
less risk of detection, facilitating further malicious activities.
data_source: []
search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_multi_factor_authentication_disabled_filter`'
how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides
security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search,
ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or
the Federated Analytics App.
known_false_positives: AWS Administrators may disable MFA but it is highly unlikely
for this event to occur without prior notice to the company
references:
- https://attack.mitre.org/techniques/T1621/
- https://aws.amazon.com/what-is/mfa/
tags:
analytic_story:
- AWS Identity and Access Management Account Takeover
asset_type: AWS Account
confidence: 80
impact: 80
message: User $user$ has disabled Multi-Factor authentication for AWS account $aws_account_id$
mitre_attack_id:
- T1586
- T1586.003
- T1621
- T1556
- T1556.006
observable:
- name: src_ip
type: IP Address
role:
- Attacker
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- api.operation
- actor.user.account_uid
- actor.user.name
- actor.user.uid
- http_request.user_agent
- src_endpoint.ip
- cloud.region
risk_score: 64
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json
sourcetype: aws:cloudtrail:lake
source: aws_asl