Analytics Story: AWS Identity and Access Management Account Takeover

Description

Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.

Why it matters

Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication TTP
ASL AWS New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication TTP
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
AWS Console Login Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
AWS Credential Access Failed Login Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing TTP
AWS Credential Access GetPasswordData Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing Anomaly
AWS Credential Access RDS Password reset Compromise Accounts, Cloud Accounts, Brute Force TTP
AWS High Number Of Failed Authentications For User Password Policy Discovery Anomaly
AWS High Number Of Failed Authentications From Ip Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication TTP
AWS Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation Anomaly
AWS Multiple Users Failing To Authenticate From Ip Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication TTP
AWS Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts TTP
AWS Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Anomaly
Detect AWS Console Login by New User Compromise Accounts, Cloud Accounts, Unsecured Credentials Hunting
Detect AWS Console Login by User from New City Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail ConsoleLogin AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail CreateVirtualMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeactivateMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteVirtualMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DescribeEventAggregates AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail GetPasswordData AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail ModifyDBInstance AWS icon AWS aws:cloudtrail aws_cloudtrail

References


Source: GitHub | Version: 2