Try in Splunk Security Cloud

Description

Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • Last Updated: 2022-08-19
  • Author: Gowthamaraj Rajendran, Bhavin Patel, Splunk
  • ID: 4210b690-293f-411d-a9d8-bcfb2ea5fff9

Narrative

Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve mulitple failed login to the console, new console logins and password reset activities.

Detections

Name Technique Type
AWS Credential Access Failed Login Password Guessing TTP
AWS Credential Access GetPasswordData Unsecured Credentials Anomaly
AWS Credential Access RDS Password reset Password Cracking TTP
Detect AWS Console Login by New User   Hunting
Detect AWS Console Login by User from New City Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Unused/Unsupported Cloud Regions Hunting

Reference

source | version: 1