Analytics Story: AWS Identity and Access Management Account Takeover

Date: 2022-08-19 ID: 4210b690-293f-411d-a9d8-bcfb2ea5fff9 Author: Gowthamaraj Rajendran, Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.

Why it matters

Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
ASL AWS Credential Access GetPasswordData Password Guessing, Cloud Accounts Anomaly
ASL AWS Credential Access RDS Password reset Brute Force, Cloud Accounts TTP
ASL AWS Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
ASL AWS New MFA Method Registered For User Multi-Factor Authentication TTP
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
AWS Console Login Failed During MFA Challenge Cloud Accounts, Multi-Factor Authentication Request Generation TTP
AWS Credential Access Failed Login Password Guessing, Cloud Accounts TTP
AWS Credential Access GetPasswordData Password Guessing, Cloud Accounts Anomaly
AWS Credential Access RDS Password reset Brute Force, Cloud Accounts TTP
AWS High Number Of Failed Authentications For User Password Policy Discovery Anomaly
AWS High Number Of Failed Authentications From Ip Password Spraying, Credential Stuffing Anomaly
AWS Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
AWS Multiple Failed MFA Requests For User Cloud Accounts, Multi-Factor Authentication Request Generation Anomaly
AWS Multiple Users Failing To Authenticate From Ip Password Spraying, Credential Stuffing Anomaly
AWS New MFA Method Registered For User Multi-Factor Authentication TTP
AWS Successful Single-Factor Authentication Cloud Accounts, Cloud Accounts TTP
AWS Unusual Number of Failed Authentications From Ip Password Spraying, Credential Stuffing, Cloud Accounts Anomaly
Detect AWS Console Login by New User Unsecured Credentials, Cloud Accounts Hunting
Detect AWS Console Login by User from New City Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
Detect AWS Console Login by User from New Country Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
Detect AWS Console Login by User from New Region Unused/Unsupported Cloud Regions, Cloud Accounts Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
ASL AWS CloudTrail AWS icon AWS aws:asl aws_asl
AWS CloudTrail AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail ConsoleLogin AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail CreateVirtualMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeactivateMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteVirtualMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DescribeEventAggregates AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail GetPasswordData AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail ModifyDBInstance AWS icon AWS aws:cloudtrail aws_cloudtrail

References

Source: GitHub | Version: 2