Skip to main content

AWS MFA device registered

ID:aws_mfa_registered
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0003:T1556.006

Description

AlphaSOC detected the successful registration of an AWS Multi-Factor Authentication (MFA) device, potentially indicating an adversary attempting to establish persistence in a compromised AWS environment.

Impact

After configuring their own MFA device on a compromised account, attackers can establish persistent access to the AWS environment. This enables them to conduct further malicious activities.

Severity

SeverityCondition
Informational
An AWS MFA device was registered
Low
An AWS MFA device was registered unexpectedly

Investigation and Remediation

Investigate the AWS MFA device registration by reviewing AWS CloudTrail logs to identify the IP address, user agent, and any associated API calls. Verify whether the registration was authorized and performed by a legitimate user. If unauthorized, disable and remove the suspicious device, reset the affected user's credentials, and review recent account activities for signs of compromise.

Known False Positives

  • A new employee registering their MFA device for the first time
  • An existing user replacing a lost or damaged MFA device