Try in Splunk Security Cloud
Description
Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication
- Last Updated: 2022-08-19
- Author: Gowthamaraj Rajendran, Bhavin Patel, Splunk
- ID: 4210b690-293f-411d-a9d8-bcfb2ea5fff9
Narrative
Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.
Detections
Name |
Technique |
Type |
ASL AWS Concurrent Sessions From Different Ips |
Browser Session Hijacking |
Anomaly |
ASL AWS Multi-Factor Authentication Disabled |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication |
TTP |
ASL AWS New MFA Method Registered For User |
Modify Authentication Process, Multi-Factor Authentication |
TTP |
AWS Concurrent Sessions From Different Ips |
Browser Session Hijacking |
TTP |
AWS Console Login Failed During MFA Challenge |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
TTP |
AWS Credential Access Failed Login |
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing |
TTP |
AWS Credential Access GetPasswordData |
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing |
Anomaly |
AWS Credential Access RDS Password reset |
Compromise Accounts, Cloud Accounts, Brute Force |
TTP |
AWS High Number Of Failed Authentications For User |
Password Policy Discovery |
Anomaly |
AWS High Number Of Failed Authentications From Ip |
Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
AWS Multi-Factor Authentication Disabled |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication |
TTP |
AWS Multiple Failed MFA Requests For User |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
Anomaly |
AWS Multiple Users Failing To Authenticate From Ip |
Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
AWS New MFA Method Registered For User |
Modify Authentication Process, Multi-Factor Authentication |
TTP |
AWS Successful Single-Factor Authentication |
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts |
TTP |
AWS Unusual Number of Failed Authentications From Ip |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
Detect AWS Console Login by New User |
Compromise Accounts, Cloud Accounts, Unsecured Credentials |
Hunting |
Detect AWS Console Login by User from New City |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Hunting |
Detect AWS Console Login by User from New Country |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Hunting |
Detect AWS Console Login by User from New Region |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Hunting |
Reference
source | version: 2