AWS Concurrent Sessions From Different Ips
Description
The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the DescribeEventAggregates
event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-05-15
- Author: Bhavin Patel, Splunk
- ID: 51c04fdb-2746-465a-b86e-b413a09c9085
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal"
| bin span=5m _time
| stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn
| where distinct_ip_count > 1
| `aws_concurrent_sessions_from_different_ips_filter`
Macros
The SPL above uses the following Macros:
aws_concurrent_sessions_from_different_ips_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- eventName
- userAgent
- errorCode
- user_arn
- aws_account_id
- src_ip
How To Implement
You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Known False Positives
A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
42.0 | 70 | 60 | User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1185/
- https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/
- https://github.com/kgretzky/evilginx2
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2