Skip to main content

AWS MFA device disabled

ID:aws_mfa_disabled
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0003:T1556.006

Description

AlphaSOC detected the disabling of an AWS Multi-Factor Authentication (MFA) device using the DeactivateMFADevice or DeleteVirtualMFADevice actions, potentially indicating an adversary attempting to establish persistence in a compromised AWS environment.

Impact

By disabling an MFA device, threat actors can more easily access already compromised resources. It allows them to maintain long-term access to the compromised account, potentially bypassing standard security measures and conduct further malicious activities, such as data exfiltration, resource manipulation, or lateral movement within the AWS environment.

Severity

SeverityCondition
Informational
An AWS MFA device was disabled
Low
An AWS MFA device was disabled unexpectedly

Investigation and Remediation

Investigate the AWS MFA device disabling by reviewing AWS CloudTrail logs to identify the IP address, user agent, and associated API calls. Verify whether the action was authorized and performed by a legitimate user. If unauthorized, re-enable MFA, reset the affected user's credentials, and review recent account activity for signs of compromise.

Known False Positives

  • An administrator intentionally disabling MFA during account maintenance

Further Reading