/
aws_credential_access_failed_login.yml
67 lines (67 loc) · 2.17 KB
/
aws_credential_access_failed_login.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: AWS Credential Access Failed Login
id: a19b354d-0d7f-47f3-8ea6-1a7c36434968
version: 1
date: '2022-08-07'
author: Gowthamaraj Rajendran, Bhavin Patel, Splunk
status: production
type: TTP
description: It shows that there have been an unsuccessful attempt to log in using
the user identity to the AWS management console. Since the user identity has access
to AWS account services and resources, an attacker might try to brute force the
password for that identity.
data_source:
- AWS CloudTrail
search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from
datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn
Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature
Authentication.dest Authentication.user Authentication.action Authentication.user_id
Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
| `aws_credential_access_failed_login_filter`'
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
search works with AWS CloudTrail logs.
known_false_positives: Users may genuinely mistype or forget the password.
references:
- https://attack.mitre.org/techniques/T1110/001/
tags:
analytic_story:
- AWS Identity and Access Management Account Takeover
asset_type: AWS Account
confidence: 70
impact: 70
message: User $user$ has a login failure from IP $src$
mitre_attack_id:
- T1586
- T1586.003
- T1110
- T1110.001
observable:
- name: src
type: IP Address
role:
- Attacker
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- app
- eventSource
- action
- signature
- dest
- user
- user_id
risk_score: 49
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json
source: aws_cloudtrail
sourcetype: aws:cloudtrail
update_timestamp: true