/
aws_new_mfa_method_registered_for_user.yml
70 lines (70 loc) · 2.41 KB
/
aws_new_mfa_method_registered_for_user.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: AWS New MFA Method Registered For User
id: 4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b
version: 1
date: '2023-01-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: The following analytic identifies the registration of a new Multi Factor
authentication method for an AWS account. Adversaries who have obtained unauthorized
access to an AWS account may register a new MFA method to maintain persistence.
data_source:
- AWS CloudTrail CreateVirtualMFADevice
search: ' `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName)
as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource
aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `aws_new_mfa_method_registered_for_user_filter`'
how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This
search works when AWS CloudTrail logs.
known_false_positives: Newly onboarded users who are registering an MFA method for
the first time will also trigger this detection.
references:
- https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/
- https://attack.mitre.org/techniques/T1556/
- https://attack.mitre.org/techniques/T1556/006/
- https://twitter.com/jhencinski/status/1618660062352007174
tags:
analytic_story:
- AWS Identity and Access Management Account Takeover
asset_type: AWS Account
confidence: 80
impact: 80
message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$
mitre_attack_id:
- T1556
- T1556.006
observable:
- name: user_arn
type: User
role:
- Victim
- name: src_ip
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- src_ip
- eventName
- eventSource
- requestParameters.virtualMFADeviceName
- errorCode
- userIdentity.principalId
- userAgent
- awsRegion
- user_name
- userIdentity.arn
- _time
risk_score: 64
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true