Remove MFA Device¶
| Platform | Author | Last Update |
|---|---|---|
| aws | Mehmet Mert Surmeli | 2023-07-01 |
An attacker may attempt to remove MFA from an IAM user, in order to bypass authentication controls.
MITRE IDs¶
Required Permissions¶
- iam:DeactivateMFADevice
Required Parameters¶
| Name | Type | Description | Example Value |
|---|---|---|---|
| user | str | The name of the user whose MFA device you want to deactivate. | example-user |
| serialnumber | str | The serial number that uniquely identifies the MFA device.For virtual MFA devices, the serial number is the device ARN. | arn:aws:iam::000000000:mfa/MFADevice |
Attacker Action¶
aws iam deactivate-mfa-device --user-name example-user --serial-number arn:aws:iam::000000000:mfa/MFADevice
Detection Case¶
ELK query¶
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:DeactivateMFADevice AND eventSource:iam.amazonaws.com
Sigma Definition¶
---
title: Remove MFA Device
id: c4276c66-7d75-4f14-938b-640b6576f912
status: experimental
author: Mehmet Mert Surmeli
date: 2023-07-01
description: An attacker may attempt to remove MFA from an IAM user, in order to bypass authentication controls.
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: "iam.amazonaws.com"
events:
- eventName: "DeactivateMFADevice"
condition: selection_source AND events
level: low
tags:
- attack.T1562.001