Analytics Story: AWS Identity and Access Management Account Takeover
Description
Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.
Why it matters
Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS CloudTrail |  AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail ConsoleLogin | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail CreateVirtualMFADevice | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeactivateMFADevice | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeleteVirtualMFADevice | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DescribeEventAggregates | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail GetPasswordData | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail ModifyDBInstance | AWS |
aws:cloudtrail |
aws_cloudtrail |
References
Source: GitHub | Version: 2