Skip to content
TheCloud.Events

CreateVirtualMFADevice

CSP: AWS
Tactics:
Persistence
Techniques:
T1098
Tags:
AWS IAM

Event

Creates a virtual MFA device, potentially allowing an attacker to register MFA on a compromised account for persistent access.

Security Context

  • Registering an attacker-controlled MFA device on a compromised account locks out the legitimate owner and ensures the adversary maintains access even if the password is reset.
  • This technique provides strong persistence by tying account access to a secret the attacker controls, making remediation more complex than simple credential rotation.

Log Source

CloudTrail

Sample Event

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.