AWS Management Console Brute Force of Root User Identity
Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/21"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An
11adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services
12and resources for the AWS account.
13"""
14false_positives = [
15 """
16 Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
17 positives.
18 """,
19]
20from = "now-20m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "AWS Management Console Brute Force of Root User Identity"
25note = """## Setup
26
27The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
29risk_score = 73
30rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
31severity = "high"
32tags = [
33 "Domain: Cloud",
34 "Data Source: AWS",
35 "Data Source: Amazon Web Services",
36 "Use Case: Identity and Access Audit",
37 "Tactic: Credential Access",
38]
39timestamp_override = "event.ingested"
40type = "threshold"
41
42query = '''
43event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1110"
51name = "Brute Force"
52reference = "https://attack.mitre.org/techniques/T1110/"
53
54
55[rule.threat.tactic]
56id = "TA0006"
57name = "Credential Access"
58reference = "https://attack.mitre.org/tactics/TA0006/"
59
60[rule.threshold]
61field = ["cloud.account.id"]
62value = 10
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS EC2 Admin Credential Fetch via Assumed Role
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM User Addition to Group
- AWS IAM Assume Role Policy Update
- AWS IAM Group Creation