AWS Management Console Brute Force of Root User Identity

 1[metadata]
 2creation_date = "2020/07/21"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An
11adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services
12and resources for the AWS account.
13"""
14false_positives = [
15    """
16    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
17    positives.
18    """,
19]
20from = "now-20m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "AWS Management Console Brute Force of Root User Identity"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating AWS Management Console Brute Force of Root User Identity
31
32The AWS Management Console is a web-based interface for accessing and managing AWS services. The root user identity has unrestricted access, making it a prime target for adversaries seeking unauthorized control. Attackers may attempt brute force attacks to guess the root password. The detection rule identifies such attempts by monitoring failed login events specifically for the root user, flagging potential credential access threats.
33
34### Possible investigation steps
35
36- Review the CloudTrail logs for the specific time frame of the failed login attempts to identify patterns or anomalies in the source IP addresses or user agents.
37- Check the geographical location of the IP addresses involved in the failed login attempts to determine if they are consistent with known or expected locations for legitimate access.
38- Investigate any successful login attempts from the same IP addresses or user agents to assess if the brute force attempt was successful at any point.
39- Analyze the frequency and timing of the failed login attempts to determine if they align with typical brute force attack patterns, such as rapid or sequential attempts.
40- Correlate the failed login events with other security events or alerts in the AWS environment to identify any concurrent suspicious activities that may indicate a broader attack campaign.
41- Review AWS CloudTrail logs for any changes in IAM policies or unusual activity following the failed login attempts to ensure no unauthorized access was gained.
42
43### False positive analysis
44
45- Legitimate users may forget their password and repeatedly attempt to log in, triggering the rule. To manage this, monitor for patterns of failed logins followed by successful ones and consider excluding these from alerts if they originate from known IP addresses.
46- Automated scripts or applications using outdated credentials can cause repeated failed login attempts. Identify and update these credentials or exclude the associated IP addresses from the rule.
47- Security testing or penetration testing activities might simulate brute force attacks. Coordinate with your security team to whitelist IP addresses or timeframes associated with these activities to prevent false positives.
48- Shared accounts or environments where multiple users attempt to access the root account can lead to multiple failed attempts. Implement stricter access controls and consider excluding known internal IP ranges from the rule.
49
50### Response and remediation
51
52- Immediately disable the root user account to prevent further unauthorized access attempts. This can be done through the AWS Management Console by navigating to the IAM section and selecting the root user account.
53- Review the CloudTrail logs to identify the source IP addresses of the failed login attempts. Block these IP addresses using AWS security groups or network ACLs to prevent further access attempts from these locations.
54- Reset the root user password and ensure it is strong and unique. Use a password manager to generate and store the new password securely.
55- Enable multi-factor authentication (MFA) for the root user account to add an additional layer of security. This can be configured in the AWS Management Console under the IAM section.
56- Conduct a thorough audit of recent account activity to ensure no unauthorized changes have been made. Pay special attention to IAM roles, policies, and permissions.
57- Notify the security team and relevant stakeholders about the incident for awareness and further investigation. Provide them with details of the attempted breach and actions taken.
58- Implement additional monitoring and alerting for unusual login patterns or failed login attempts to the root account to enhance early detection of similar threats in the future.
59
60## Setup
61
62The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
64risk_score = 73
65rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
66severity = "high"
67tags = [
68    "Domain: Cloud",
69    "Data Source: AWS",
70    "Data Source: Amazon Web Services",
71    "Use Case: Identity and Access Audit",
72    "Tactic: Credential Access",
73    "Resources: Investigation Guide",
74]
75timestamp_override = "event.ingested"
76type = "threshold"
77
78query = '''
79event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure
80'''
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1110"
87name = "Brute Force"
88reference = "https://attack.mitre.org/techniques/T1110/"
89
90
91[rule.threat.tactic]
92id = "TA0006"
93name = "Credential Access"
94reference = "https://attack.mitre.org/tactics/TA0006/"
95
96[rule.threshold]
97field = ["cloud.account.id"]
98value = 10