DeleteVirtualMFADevice
Event
Deletes a virtual MFA device, weakening account security by removing multi-factor authentication.
Security Context
- Removing MFA from an account eliminates the second authentication factor, making the account vulnerable to password-only attacks and lowering the bar for persistent access.
- Adversaries delete MFA devices as a precursor to account takeover, ensuring they can authenticate with stolen credentials alone without triggering MFA challenges.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.