Skip to content

DeleteVirtualMFADevice

AWS

DeleteVirtualMFADevice

service: AWS - IAM
tactics:
techniques:

Event

Deletes a virtual MFA device, weakening account security by removing multi-factor authentication.

Security Context

  • Removing MFA from an account eliminates the second authentication factor, making the account vulnerable to password-only attacks and lowering the bar for persistent access.
  • Adversaries delete MFA devices as a precursor to account takeover, ensuring they can authenticate with stolen credentials alone without triggering MFA challenges.

Log Source

CloudTrail

Sample Event

Adversarial. Right after deactivating his virtual MFA device, Draco deletes it — clearing the device entry so a future MFA enrollment can register a new device under attacker control without a name collision. T1098 (Account Manipulation — adversaries weaken account security as a precursor to entrenching access).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:13:21Z",
"eventSource": "iam.amazonaws.com",
"eventName": "DeleteVirtualMFADevice",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"serialNumber": "arn:aws:iam::555123456789:mfa/draco-totp"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000100000110",
"eventID": "90000000-0000-4000-8000-000100000111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...