AWS MFA device registered
Description
AlphaSOC detected the successful registration of an AWS Multi-Factor Authentication (MFA) device, potentially indicating an adversary attempting to establish persistence in a compromised AWS environment.
Impact
After configuring their own MFA device on a compromised account, attackers can establish persistent access to the AWS environment. This enables them to conduct further malicious activities.
Severity
Severity | Condition |
---|---|
Informational | An AWS MFA device was registered |
Low | An AWS MFA device was registered unexpectedly |
Investigation and Remediation
Investigate the AWS MFA device registration by reviewing AWS CloudTrail logs to identify the IP address, user agent, and any associated API calls. Verify whether the registration was authorized and performed by a legitimate user. If unauthorized, disable and remove the suspicious device, reset the affected user's credentials, and review recent account activities for signs of compromise.
Known False Positives
- A new employee registering their MFA device for the first time
- An existing user replacing a lost or damaged MFA device