AWS Console Login Failed During MFA Challenge

name: AWS Console Login Failed During MFA Challenge
id: 55349868-5583-466f-98ab-d3beb321961e
version: 9
date: '2026-03-10'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: The following analytic identifies failed authentication attempts to the AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect when MFA was used but the login attempt still failed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing attempt to breach the account, potentially leading to unauthorized access and further attacks if MFA is bypassed.
data_source:
    - AWS CloudTrail ConsoleLogin
search: |-
    `cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes"
      | rename user_name as user
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY signature dest user
           user_agent src vendor_account
           vendor_region vendor_product additionalEventData.MFAUsed
           errorMessage
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `aws_console_login_failed_during_mfa_challenge_filter`
how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.
known_false_positives: Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.
references:
    - https://attack.mitre.org/techniques/T1621/
    - https://aws.amazon.com/what-is/mfa/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: User $user$ failed to pass MFA challenge while logging into console from $src$
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - AWS Identity and Access Management Account Takeover
        - Compromised User Account
    asset_type: AWS Account
    mitre_attack_id:
        - T1586.003
        - T1621
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail