Try in Splunk Security Cloud

Description

Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication, Endpoint
  • Last Updated: 2022-08-19
  • Author: Gowthamaraj Rajendran, Bhavin Patel, Splunk
  • ID: 4210b690-293f-411d-a9d8-bcfb2ea5fff9

Narrative

Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.

Detections

Name Technique Type
AWS Console Login Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
AWS Credential Access Failed Login Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing TTP
AWS Credential Access GetPasswordData Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing Anomaly
AWS Credential Access RDS Password reset Compromise Accounts, Cloud Accounts, Brute Force TTP
AWS Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication TTP
AWS Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation Anomaly
AWS Multiple Users Failing To Authenticate From Ip Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts TTP
AWS Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Anomaly
Detect AWS Console Login by New User Compromise Accounts, Cloud Accounts, Unsecured Credentials Hunting
Detect AWS Console Login by User from New City Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting

Reference

source | version: 2