AWS IAM Virtual MFA Device Registration Attempt with Session Token

 1[metadata]
 2creation_date = "2025/04/11"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/04/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies attempts to register or enable an IAM Virtual MFA device using temporary credentials (access keys
11starting with 'ASIA'). This may indicate an adversary attempting to escalate privileges or establish persistence using
12stolen session tokens.
13"""
14false_positives = [
15    """
16    Legitimate users or automation tools may register MFA devices using temporary session credentials, especially in
17    CI/CD or administrative workflows. Validate the source IP, user agent, and context of the registration.
18    """,
19]
20from = "now-9m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "AWS IAM Virtual MFA Device Registration Attempt with Session Token"
25note = """## Triage and Analysis
26
27### Investigating AWS IAM Virtual MFA Device Registration Attempt with Session Token
28
29AWS temporary security credentials that begin with `ASIA` indicate they are session tokens. An attempt to create or enable a Virtual MFA device using such credentials is uncommon and may indicate malicious activity.
30
31#### Possible Investigation Steps
32
33- **Identify the User**: Check `user.name`, `user.arn`, and `aws.cloudtrail.user_identity.*` fields to determine which IAM entity made the request.
34- **Check for Prior Reconnaissance or Access**: Correlate this event with any prior calls to `GetSessionToken`, `GetCallerIdentity`, or `ListUsers` to see if an adversary was enumerating IAM users.
35- **Source Context**: Review `source.ip`, `user_agent`, and `event.origin` to determine whether this came from a legitimate device or a suspicious endpoint (e.g., Kali, Mythic, unknown VPN).
36- **Validate MFA Setup**: Look for follow-up attempts to call `sts:get-session-token` or `iam:EnableMFADevice` using this same session.
37
38### False Positive Analysis
39
40- This may occur if an admin or automation tool is legitimately setting up a new MFA device using temporary credentials.
41- Review the IP, agent, and context to differentiate expected automation from unauthorized access.
42
43### Response and Remediation
44
45- **Revoke Credentials**: If unauthorized, revoke the access keys or terminate the session.
46- **Reset MFA and Passwords**: Rotate credentials for the affected IAM user.
47- **Review IAM Policies**: Limit permissions to register MFA devices to trusted roles only.
48- **Enable CloudTrail Alerts**: Monitor IAM changes more broadly with CloudTrail-based alerts.
49"""
50references = ["https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"]
51risk_score = 47
52rule_id = "e4feea34-3b62-4c83-b77f-018fbef48c00"
53severity = "medium"
54tags = [
55    "Domain: Cloud",
56    "Data Source: AWS",
57    "Data Source: Amazon Web Services",
58    "Data Source: AWS CloudTrail",
59    "Data Source: AWS IAM",
60    "Tactic: Persistence",
61    "Use Case: Identity and Access Audit",
62    "Resources: Investigation Guide",
63]
64timestamp_override = "event.ingested"
65type = "query"
66
67query = '''
68event.dataset: "aws.cloudtrail"
69  and event.provider: "iam.amazonaws.com"
70  and event.action: ("CreateVirtualMFADevice" or "EnableMFADevice")
71  and aws.cloudtrail.user_identity.access_key_id: ASIA*
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1098"
79name = "Account Manipulation"
80reference = "https://attack.mitre.org/techniques/T1098/"
81[[rule.threat.technique.subtechnique]]
82id = "T1098.005"
83name = "Device Registration"
84reference = "https://attack.mitre.org/techniques/T1098/005/"
85
86
87
88[rule.threat.tactic]
89id = "TA0003"
90name = "Persistence"
91reference = "https://attack.mitre.org/tactics/TA0003/"