AWS IAM Password Recovery Requested
Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/02"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing
11password recovery mechanisms.
12"""
13false_positives = [
14 """
15 Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment.
16 Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives,
17 it can be exempted from the rule.
18 """,
19]
20from = "now-60m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS IAM Password Recovery Requested"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating AWS IAM Password Recovery Requested
32
33AWS Identity and Access Management (IAM) facilitates secure access control to AWS resources. Password recovery requests are legitimate processes for users to regain access. However, adversaries may exploit this by initiating unauthorized recovery attempts to gain access. The detection rule monitors successful password recovery requests within AWS CloudTrail logs, focusing on initial access tactics, to identify potential misuse and unauthorized access attempts.
34
35### Possible investigation steps
36
37- Review the AWS CloudTrail logs for the specific event.action:PasswordRecoveryRequested to identify the user account involved in the password recovery request.
38- Check the event.provider:signin.amazonaws.com logs to determine the source IP address and geolocation associated with the password recovery request to assess if it aligns with known user activity.
39- Investigate the event.outcome:success logs to confirm if the password recovery was completed and if there were any subsequent successful logins from the same or different IP addresses.
40- Analyze the user account's recent activity and permissions to identify any unusual or unauthorized actions that may indicate compromise.
41- Cross-reference the event with any other security alerts or incidents involving the same user account to identify potential patterns or coordinated attacks.
42- Contact the user associated with the password recovery request to verify if they initiated the request and to ensure their account security.
43
44### False positive analysis
45
46- Routine password recovery by legitimate users can trigger this rule. To manage this, identify users who frequently request password recovery and consider adding them to an exception list if their behavior is verified as non-threatening.
47- Automated password recovery processes used by internal IT support or helpdesk teams may also cause false positives. Coordinate with these teams to understand their workflows and exclude their activities from triggering alerts.
48- Users with known issues accessing their accounts due to technical problems might repeatedly request password recovery. Monitor these cases and exclude them once confirmed as non-malicious.
49- Scheduled security drills or training exercises that involve password recovery can generate alerts. Ensure these activities are documented and excluded from the rule to prevent unnecessary alerts.
50
51### Response and remediation
52
53- Immediately verify the legitimacy of the password recovery request by contacting the user associated with the request. Ensure they initiated the recovery process and are aware of the request.
54- Temporarily disable the affected IAM user account to prevent any unauthorized access until the situation is fully assessed and resolved.
55- Review AWS CloudTrail logs for any additional suspicious activities associated with the IAM user account, such as unusual login attempts or changes to permissions, to identify potential compromise.
56- If unauthorized access is confirmed, reset the IAM user's password and any associated access keys. Ensure the new credentials are communicated securely to the legitimate user.
57- Implement multi-factor authentication (MFA) for the affected IAM user account to enhance security and prevent future unauthorized access attempts.
58- Escalate the incident to the security operations team for further investigation and to determine if additional accounts or resources have been compromised.
59- Update and enhance monitoring rules to detect similar unauthorized password recovery attempts in the future, ensuring timely alerts and responses.
60
61## Setup
62
63The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"]
65risk_score = 21
66rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
67severity = "low"
68tags = [
69 "Domain: Cloud",
70 "Data Source: AWS",
71 "Data Source: Amazon Web Services",
72 "Data Source: AWS Signin",
73 "Use Case: Identity and Access Audit",
74 "Tactic: Initial Access",
75 "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1078"
89name = "Valid Accounts"
90reference = "https://attack.mitre.org/techniques/T1078/"
91
92
93[rule.threat.tactic]
94id = "TA0001"
95name = "Initial Access"
96reference = "https://attack.mitre.org/tactics/TA0001/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating AWS IAM Password Recovery Requested
AWS Identity and Access Management (IAM) facilitates secure access control to AWS resources. Password recovery requests are legitimate processes for users to regain access. However, adversaries may exploit this by initiating unauthorized recovery attempts to gain access. The detection rule monitors successful password recovery requests within AWS CloudTrail logs, focusing on initial access tactics, to identify potential misuse and unauthorized access attempts.
Possible investigation steps
- Review the AWS CloudTrail logs for the specific event.action:PasswordRecoveryRequested to identify the user account involved in the password recovery request.
- Check the event.provider:signin.amazonaws.com logs to determine the source IP address and geolocation associated with the password recovery request to assess if it aligns with known user activity.
- Investigate the event.outcome:success logs to confirm if the password recovery was completed and if there were any subsequent successful logins from the same or different IP addresses.
- Analyze the user account's recent activity and permissions to identify any unusual or unauthorized actions that may indicate compromise.
- Cross-reference the event with any other security alerts or incidents involving the same user account to identify potential patterns or coordinated attacks.
- Contact the user associated with the password recovery request to verify if they initiated the request and to ensure their account security.
False positive analysis
- Routine password recovery by legitimate users can trigger this rule. To manage this, identify users who frequently request password recovery and consider adding them to an exception list if their behavior is verified as non-threatening.
- Automated password recovery processes used by internal IT support or helpdesk teams may also cause false positives. Coordinate with these teams to understand their workflows and exclude their activities from triggering alerts.
- Users with known issues accessing their accounts due to technical problems might repeatedly request password recovery. Monitor these cases and exclude them once confirmed as non-malicious.
- Scheduled security drills or training exercises that involve password recovery can generate alerts. Ensure these activities are documented and excluded from the rule to prevent unnecessary alerts.
Response and remediation
- Immediately verify the legitimacy of the password recovery request by contacting the user associated with the request. Ensure they initiated the recovery process and are aware of the request.
- Temporarily disable the affected IAM user account to prevent any unauthorized access until the situation is fully assessed and resolved.
- Review AWS CloudTrail logs for any additional suspicious activities associated with the IAM user account, such as unusual login attempts or changes to permissions, to identify potential compromise.
- If unauthorized access is confirmed, reset the IAM user's password and any associated access keys. Ensure the new credentials are communicated securely to the legitimate user.
- Implement multi-factor authentication (MFA) for the affected IAM user account to enhance security and prevent future unauthorized access attempts.
- Escalate the incident to the security operations team for further investigation and to determine if additional accounts or resources have been compromised.
- Update and enhance monitoring rules to detect similar unauthorized password recovery attempts in the future, ensuring timely alerts and responses.
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS Management Console Root Login
- AWS EC2 Admin Credential Fetch via Assumed Role
- AWS EC2 Instance Connect SSH Public Key Uploaded
- AWS EC2 Instance Console Login via Assumed Role
- AWS IAM CompromisedKeyQuarantine Policy Attached to User