Skip to content
Threat Feed
medium advisory

AWS Console Login from New Country

Detects AWS console logins by a user from a previously unseen country, potentially indicating compromised credentials.

This detection identifies instances of a user logging into the AWS console from a country that they have not previously logged in from. This behavior can indicate compromised credentials being used from a new location, or a user legitimately traveling and accessing the console from a different country. It is important to investigate these events to determine if they are authorized or malicious. While this activity could be benign, it serves as an important indicator for further investigation and potential incident escalation, especially when combined with other anomalous behaviors. The detection focuses on analyzing AWS CloudTrail logs for console login events and comparing the source IP's geolocation against historical login locations for the given user.

Attack Chain

  1. Initial Access: An attacker gains access to valid AWS credentials, possibly through phishing, credential stuffing, or malware. (T1190, T1566)
  2. Credential Use: The attacker uses the stolen credentials to attempt to log into the AWS console from a country different from the user's typical login locations. (T1078)
  3. Authentication: The AWS console authenticates the attacker based on the provided credentials.
  4. Console Access: The attacker successfully logs into the AWS console.
  5. Reconnaissance: The attacker performs reconnaissance activities within the AWS environment to identify potential targets, sensitive data, or misconfigurations. (T1018, T1589)
  6. Privilege Escalation (Optional): The attacker attempts to escalate privileges to gain broader access to the AWS environment. (T1068)
  7. Data Exfiltration/Impact: Depending on the attacker's goals, they might exfiltrate sensitive data, modify configurations, deploy malicious code, or disrupt services. (TA0010, TA0040)

Impact

Successful exploitation could lead to unauthorized access to AWS resources, data breaches, service disruption, or financial losses. The severity depends on the attacker's privileges and the sensitivity of the accessed data. A compromised AWS account can provide a foothold for further attacks within the cloud infrastructure and potentially on-premises resources.

Recommendation

  • Enable AWS CloudTrail logging to capture all API calls and console logins for analysis (log source).
  • Deploy the Sigma rules in this brief to your SIEM to identify potentially malicious login activity.
  • Implement multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of credential compromise.
  • Investigate any alerts generated by the Sigma rules and correlate them with other security events to determine the scope and impact of the potential breach.

Detection coverage 2

AWS Console Login from New Country

medium

Detects AWS console logins by a user from a country not previously seen for that user.

sigma tactics: initial_access techniques: T1078 sources: cloudtrail, aws

AWS MFA Not Used for Console Login

high

Detects AWS console logins where multi-factor authentication was not used.

sigma tactics: initial_access techniques: T1078 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →