AWS IAM Account Concurrent Sessions from Multiple IPs
Detection of AWS IAM accounts exhibiting concurrent sessions originating from different IP addresses within a short timeframe, potentially indicating session hijacking.
This analytic identifies AWS IAM accounts that have concurrent sessions originating from more than one unique IP address within a 5-minute window. The detection leverages AWS CloudTrail logs, specifically the DescribeEventAggregates event. The goal is to detect potential session hijacking attacks, where an attacker uses stolen session cookies or credentials to access AWS resources from a different location than the legitimate user. This can lead to unauthorized access to sensitive corporate resources, data breaches, and further exploitation within the AWS environment. The technique is often employed after initial access through phishing or other credential compromise methods. The impact of successful session hijacking can range from data exfiltration to infrastructure compromise.
Attack Chain
- The attacker gains initial access to user credentials or session cookies, possibly through phishing (T1566) or malware.
- The attacker leverages the compromised credentials/session cookies to authenticate to the AWS environment.
- The attacker initiates AWS API calls, such as
DescribeEventAggregates, from their location. - The legitimate user also continues to use their AWS session from their original location.
- AWS CloudTrail logs record the
DescribeEventAggregatesevents, noting the originating IP addresses and user identities. - A monitoring system detects multiple
DescribeEventAggregatesevents for the same user originating from different IP addresses within a 5-minute window. - The attacker gains unauthorized access to AWS resources.
- The attacker performs malicious actions such as data exfiltration or resource modification.
Impact
Compromised AWS IAM accounts can lead to significant data breaches, unauthorized resource usage, and potential disruptions to cloud services. The impact can range from exfiltration of sensitive data to modification or deletion of critical infrastructure components. Organizations in all sectors are at risk if their AWS credentials are compromised. A successful attack could result in data loss, financial damage, and reputational harm.
Recommendation
- Deploy the Sigma rule
AWS Concurrent Sessions From Different IPsto your SIEM and tune it for your environment to detect potential session hijacking attempts using AWS CloudTrail logs. - Investigate any alerts generated by the Sigma rule
AWS Concurrent Sessions From Different Ipsto determine if the concurrent sessions are legitimate or malicious. - Implement multi-factor authentication (MFA) for all AWS IAM users to mitigate credential theft and session hijacking (reference T1185).
- Monitor AWS CloudTrail logs for unusual API calls and access patterns to detect potentially compromised accounts.
- Review and enforce least privilege access controls to limit the impact of compromised accounts.
- Consider using AWS IAM Access Analyzer to identify overly permissive IAM roles and policies.
Detection coverage 2
AWS Concurrent Sessions From Different IPs
highDetects AWS IAM accounts with concurrent sessions from different IP addresses within a 5-minute window, indicating potential session hijacking.
AWS DescribeEventAggregates from Unusual User Agent
mediumDetects DescribeEventAggregates events with unusual user agents, which could indicate malicious activity.
Detection queries are available on the platform. Get full rules →