AWS Console Login by User from New City
Detection of AWS console logins by a user from a previously unseen city, potentially indicating compromised credentials or account takeover.
This threat brief focuses on detecting anomalous AWS console login activity. Specifically, it targets instances where a user logs in from a city not previously associated with their account. This behavior can indicate compromised credentials, account takeover, or unauthorized access by an insider. The detection logic is based on analyzing AWS CloudTrail logs for console login events and comparing the source IP's geolocation with a baseline of previously observed locations for each user. The detection is based on a Splunk detection rule. While the source material doesn't provide specific dates or campaign identifiers, the underlying threat of credential compromise is a persistent and ongoing concern for organizations using AWS. The scope of targeting is broad, as it applies to any organization using the AWS Management Console.
Attack Chain
- An attacker gains access to valid AWS credentials through phishing, malware, or credential stuffing. (Initial Access - T1566, T1110)
- The attacker uses the compromised credentials to log into the AWS Management Console. (Credentialed Access - T1078)
- The login attempt originates from a city that is not in the user's historical login location data. (Defense Evasion - T1078)
- After successful login, the attacker explores the AWS environment to identify potential targets. (Discovery - T1087, T1018)
- The attacker attempts to escalate privileges by assuming roles or exploiting misconfigured IAM policies. (Privilege Escalation - T1068)
- The attacker performs actions such as creating new users, modifying security groups, or launching EC2 instances. (Execution - T1059)
- The attacker disables CloudTrail logging to remove traces of their malicious activity. (Defense Evasion - T1070)
- The attacker exfiltrates sensitive data or deploys malicious resources within the AWS environment. (Impact - T1485)
Impact
A successful attack following this pattern can lead to unauthorized access to sensitive data, modification of critical infrastructure, and significant financial losses. The number of potential victims is vast, encompassing any organization using the AWS Management Console. The sectors most at risk are those that handle sensitive data in the cloud, such as financial services, healthcare, and government. The observed damage can range from data breaches and service disruptions to compliance violations and reputational damage.
Recommendation
- Deploy the "AWS Console Login by User from New City" Sigma rule to your SIEM and tune it for your environment to detect suspicious login activity (Sigma rule).
- Enable AWS CloudTrail logging in all regions to capture the necessary login events for analysis (log source).
- Investigate any alerts generated by the Sigma rule to determine the legitimacy of the login attempt (Sigma rule).
- Implement multi-factor authentication (MFA) for all AWS users to mitigate the risk of credential compromise (TTP).
- Enforce strong password policies and regularly rotate credentials to reduce the likelihood of successful attacks (TTP).
Detection coverage 2
AWS Console Login from New City
mediumDetects AWS console logins by a user from a city not previously seen for that user, based on CloudTrail logs.
AWS Console Login Failed
infoDetects failed AWS console login attempts which may precede a successful login from a new city.
Detection queries are available on the platform. Get full rules →