/
aws_root_password_changed.yml
80 lines (80 loc) · 2.75 KB
/
aws_root_password_changed.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
AnalysisType: rule
Filename: aws_root_password_changed.py
RuleID: "AWS.CloudTrail.RootPasswordChanged"
DisplayName: "Root Password Changed"
Enabled: true
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Identity and Access Management
- Persistence:Account Manipulation
Severity: High
Reports:
MITRE ATT&CK:
- TA0003:T1098
Description: >
Someone manually changed the Root console login password.
Runbook: >
Verify that the root password change was authorized. If not, AWS support should be contacted immediately as the root account cannot be recovered through normal means and grants complete access to the account.
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_change-root.html
SummaryAttributes:
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: Root Password Changed
ExpectedResult: true
Log:
{
"awsRegion": "us-east-1",
"eventID": "1111",
"eventName": "PasswordUpdated",
"eventSource": "signin.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsConsoleSignIn",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters": null,
"responseElements": { "PasswordUpdated": "Success" },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36",
"userIdentity":
{
"accesKeyId": "1111",
"accessKeyId": "",
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"principalId": "123456789012",
"type": "Root",
},
}
- Name: Root Password Change Failed
ExpectedResult: false
Log:
{
"awsRegion": "us-east-1",
"eventID": "1111",
"eventName": "PasswordUpdated",
"eventSource": "signin.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsConsoleSignIn",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters": null,
"responseElements": { "PasswordUpdated": "Failure" },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36",
"userIdentity":
{
"accesKeyId": "1111",
"accessKeyId": "",
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"principalId": "123456789012",
"type": "Root",
},
}