detections/cloud/aws_new_mfa_method_registered_for_user.yml

name: AWS New MFA Method Registered For User
id: 4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b
version: 1
date: '2023-01-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: The following analytic identifies the registration of a new Multi Factor
  authentication method for an AWS account. Adversaries who have obtained unauthorized
  access to an AWS account may register a new MFA method to maintain persistence.
data_source: 
- AWS CloudTrail CreateVirtualMFADevice
search: ' `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName)
  as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource
  aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
  src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
  | `aws_new_mfa_method_registered_for_user_filter`'
how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This
  search works when AWS CloudTrail logs.
known_false_positives: Newly onboarded users who are registering an MFA method for
  the first time will also trigger this detection.
references:
- https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/
- https://attack.mitre.org/techniques/T1556/
- https://attack.mitre.org/techniques/T1556/006/
- https://twitter.com/jhencinski/status/1618660062352007174
tags:
  analytic_story:
  - AWS Identity and Access Management Account Takeover
  asset_type: AWS Account
  confidence: 80
  impact: 80
  message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$
  mitre_attack_id:
  - T1556
  - T1556.006
  observable:
  - name: user_arn
    type: User
    role:
    - Victim
  - name: src_ip
    type: IP Address
    role:
    - Attacker
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  required_fields:
  - src_ip
  - eventName
  - eventSource
  - requestParameters.virtualMFADeviceName
  - errorCode
  - userIdentity.principalId
  - userAgent
  - awsRegion
  - user_name
  - userIdentity.arn
  - _time
  risk_score: 64
  security_domain: identity
tests:
- name: True Positive Test
  attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json
    sourcetype: aws:cloudtrail
    source: aws_cloudtrail
    update_timestamp: true