AWS Account Console Login from Multiple IPs
An AWS account successfully authenticating from multiple unique IP addresses within a 5-minute window may indicate compromised credentials, potentially from a phishing attack.
This analytic identifies AWS accounts that have successfully authenticated to the AWS console from multiple unique IP addresses within a short timeframe (5 minutes). The detection focuses on ConsoleLogin events in AWS CloudTrail logs, specifically counting the number of distinct source IP addresses associated with each user. This behavior is indicative of potential credential compromise, where an attacker and a legitimate user might be concurrently accessing the same account from different locations. The activity could be the result of a phishing attack or other credential theft techniques. Successful exploitation can grant unauthorized access to sensitive corporate resources within the AWS environment.
Attack Chain
- An attacker obtains AWS credentials via phishing or other means (T1566).
- The attacker initiates a console login to the AWS environment from their IP address.
- A legitimate user, unaware of the compromise, logs in to the same AWS account from their usual IP address.
- AWS CloudTrail logs both successful
ConsoleLoginevents, each originating from a different source IP. - The detection analytic identifies the multiple distinct source IP addresses associated with the same user account within a 5-minute window.
- The attacker leverages the compromised credentials to explore the AWS environment, potentially escalating privileges (T1068).
- The attacker accesses or modifies sensitive data, or deploys malicious resources within the AWS environment (T1535).
Impact
Compromised AWS credentials can lead to unauthorized access to critical cloud infrastructure and data. Depending on the permissions associated with the compromised account, attackers can potentially access sensitive data, disrupt services, deploy ransomware, or pivot to other systems within the environment. The number of affected AWS accounts will vary depending on the scope of the credential compromise. This type of attack could affect organizations of all sizes using AWS, with potential losses ranging from data theft and service disruption to significant financial repercussions.
Recommendation
- Deploy the Sigma rule
AWS Console Login From Multiple IPsto your SIEM and tune thedistinct_ip_countthreshold for your environment. - Investigate any alerts generated by the Sigma rule by examining the source IPs (
src) and user agents (user_agent) involved. - Implement multi-factor authentication (MFA) on all AWS accounts to mitigate the impact of credential compromise.
- Review and enforce strong password policies for all AWS users.
- Monitor AWS CloudTrail logs for suspicious activity, focusing on
ConsoleLoginand other sensitive events. - Use threat intelligence platforms to identify and block malicious IPs and domains associated with credential phishing campaigns.
Detection coverage 2
AWS Console Login From Multiple IPs
highDetects AWS console logins from multiple distinct IP addresses within a 5-minute window, indicating potential credential compromise.
AWS Console Login with Unusual User Agent
mediumDetects AWS console logins with uncommon user agents, potentially indicating automated tools or suspicious access.
Detection queries are available on the platform. Get full rules →