AWS IAM Virtual MFA Device Registration Attempt with Session Token

  1[metadata]
  2creation_date = "2025/04/11"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_version = "9.2.0"
  6min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
  7updated_date = "2026/02/25"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects attempts to create or enable a Virtual MFA device (CreateVirtualMFADevice, EnableMFADevice) using temporary AWS
 13credentials (access keys beginning with ASIA). Session credentials are short-lived and tied to existing authenticated
 14sessions, so using them to register or enable MFA devices is unusual. Adversaries who compromise temporary credentials
 15may abuse this behavior to establish persistence by attaching new MFA devices to maintain access to high-privilege
 16accounts despite key rotation or password resets.
 17"""
 18false_positives = [
 19    """
 20    Some legitimate administrative workflows or CI/CD automation pipelines may temporarily configure or re-enable MFA
 21    devices using session-based credentials. Validate the calling identity’s purpose, source IP, and user agent to
 22    confirm whether this activity was authorized. This rule automatically excludes console login sessions, which filters out expected MFA operations performed via the
 23    AWS Management Console.
 24    """,
 25]
 26from = "now-6m"
 27index = ["logs-aws.cloudtrail-*"]
 28language = "eql"
 29license = "Elastic License v2"
 30name = "AWS IAM Virtual MFA Device Registration Attempt with Session Token"
 31note = """## Triage and Analysis
 32
 33### Investigating AWS IAM Virtual MFA Device Registration Attempt with Session Token
 34
 35Temporary credentials that start with the prefix `ASIA` are generated by the AWS Security Token Service (STS). These
 36session tokens are used for short-lived operations and should not be used to modify or register IAM
 37authentication mechanisms. This rule detects cases where an IAM user or role uses such temporary credentials to invoke either `CreateVirtualMFADevice` or `EnableMFADevice`.
 38
 39### Possible investigation steps
 40
 41- **Identify the actor and session context**
 42  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine the identity and confirm the `ASIA` prefix.  
 43  - This rule automatically filters out console login sessions using `aws.cloudtrail.session_credential_from_console`, so alerts indicate non-console temporary credential usage.
 44  - Check `user_agent.original`, `source.ip`, and `cloud.region` to determine if this activity originated from an expected host, VPN, or location.
 45  - Cross-reference with prior activity by this identity—especially `GetSessionToken`, `AssumeRole`, or `GetCallerIdentity` calls.
 46
 47- **Correlate related IAM events**
 48  - Search for subsequent or preceding calls to:
 49    - `EnableMFADevice` (after `CreateVirtualMFADevice`)
 50    - `DeactivateMFADevice` or `DeleteVirtualMFADevice`
 51    - `ListMFADevices`, `ListUsers`, or `UpdateLoginProfile`
 52  - Review whether new MFA devices were successfully enabled (`event.outcome:success`).
 53
 54- **Assess session scope and privileges**
 55  - Identify what IAM policies are attached to the user or role that issued this request.  
 56  - If the temporary credentials were created via `AssumeRole` or `GetSessionToken`, check the originating principal’s permissions.
 57
 58- **Investigate possible persistence**
 59  - Look for new MFA devices listed for privileged users (e.g., account root or admin roles).  
 60  - Review login history for those accounts following the MFA change. 
 61
 62### False positive analysis
 63
 64- **Legitimate Administrative or Automated Actions**  
 65  Certain IAM administrative workflows or CI/CD automation tools may register or enable MFA devices using temporary
 66  session credentials. Confirm whether the calling principal is part of an authorized automation process or a known
 67  identity performing account configuration tasks.
 68
 69- **Expected Console Behavior**  
 70  Console-based MFA operations are automatically filtered out by this rule using the `aws.cloudtrail.session_credential_from_console` field.
 71  Alerts from this rule indicate MFA operations performed with temporary credentials obtained outside of console login sessions.
 72
 73### Response and remediation
 74
 75- **Immediate containment**
 76  - Revoke or expire the temporary credentials (`aws sts revoke-session` if applicable).  
 77  - Disable or delete any newly created virtual MFA devices using `DeleteVirtualMFADevice`.  
 78  - Rotate passwords and long-term access keys for the associated IAM users.
 79
 80- **Investigation and scoping**
 81  - Review CloudTrail logs for related IAM modifications (`UpdateLoginProfile`, `AttachUserPolicy`, `CreateAccessKey`).  
 82  - Identify any new API keys or tokens created after the MFA registration.  
 83  - Cross-check whether the attacker leveraged the new MFA binding for session persistence or login.
 84
 85- **Recovery and hardening**
 86  - Enforce the `iam:EnableMFADevice` and `iam:CreateVirtualMFADevice` permissions only for trusted admin roles.  
 87  - Implement `aws:MultiFactorAuthPresent` conditions in IAM policies.  
 88  - Monitor for any future `ASIA` credential–based IAM configuration changes.
 89
 90### Additional information
 91- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 92- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 93- **[Managing MFA Devices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html)** 
 94"""
 95references = ["https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"]
 96risk_score = 47
 97rule_id = "e4feea34-3b62-4c83-b77f-018fbef48c00"
 98severity = "medium"
 99tags = [
100    "Domain: Cloud",
101    "Data Source: AWS",
102    "Data Source: Amazon Web Services",
103    "Data Source: AWS CloudTrail",
104    "Data Source: AWS IAM",
105    "Tactic: Persistence",
106    "Use Case: Identity and Access Audit",
107    "Resources: Investigation Guide",
108]
109timestamp_override = "event.ingested"
110type = "eql"
111
112query = '''
113iam where event.dataset == "aws.cloudtrail"
114  and event.provider == "iam.amazonaws.com"
115  and event.outcome == "success"
116  and event.action in ("CreateVirtualMFADevice", "EnableMFADevice")
117  and startsWith (aws.cloudtrail.user_identity.access_key_id, "ASIA")
118  and not aws.cloudtrail.session_credential_from_console == "true"
119'''
120
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1098"
126name = "Account Manipulation"
127reference = "https://attack.mitre.org/techniques/T1098/"
128[[rule.threat.technique.subtechnique]]
129id = "T1098.005"
130name = "Device Registration"
131reference = "https://attack.mitre.org/techniques/T1098/005/"
132
133
134[[rule.threat.technique]]
135id = "T1556"
136name = "Modify Authentication Process"
137reference = "https://attack.mitre.org/techniques/T1556/"
138[[rule.threat.technique.subtechnique]]
139id = "T1556.006"
140name = "Multi-Factor Authentication"
141reference = "https://attack.mitre.org/techniques/T1556/006/"
142
143
144
145[rule.threat.tactic]
146id = "TA0003"
147name = "Persistence"
148reference = "https://attack.mitre.org/tactics/TA0003/"
149
150[rule.investigation_fields]
151field_names = [
152    "@timestamp",
153    "user.name",
154    "user_agent.original",
155    "source.ip",
156    "aws.cloudtrail.user_identity.arn",
157    "aws.cloudtrail.user_identity.type",
158    "aws.cloudtrail.user_identity.access_key_id",
159    "event.action",
160    "event.outcome",
161    "cloud.account.id",
162    "cloud.region",
163    "aws.cloudtrail.request_parameters",
164    "aws.cloudtrail.response_elements",
165]