Skip to content
Threat Feed
medium advisory

AWS Console Login from New City

A user logging into the AWS console from a previously unseen city could indicate compromised credentials or an insider threat.

This alert detects when a user logs into the AWS console from a city that they have never logged in from before. This behavior is anomalous and could indicate that the user's credentials have been compromised and are being used by an attacker in a different location. It could also be a sign of an insider threat, where a legitimate user is accessing resources from an unexpected location for malicious purposes. Defenders should investigate any such alerts to determine the cause of the anomalous login and take appropriate action. This detection focuses on identifying deviations from established user behavior patterns.

Attack Chain

  1. Initial Access: An attacker obtains valid AWS credentials through phishing, credential stuffing, or other means.
  2. Console Login: The attacker uses the stolen credentials to log into the AWS Management Console.
  3. Geolocation Check: The AWS login event includes the user's IP address, which is then geolocated to a city.
  4. Anomaly Detection: The city is compared to a historical list of cities from which the user has previously logged in.
  5. Alert Trigger: If the city is new for that user, an alert is triggered.
  6. Potential Lateral Movement: The attacker leverages the console access to explore the AWS environment.
  7. Resource Access: The attacker may access sensitive data, modify configurations, or launch new resources.
  8. Impact: Data exfiltration, service disruption, or unauthorized resource consumption.

Impact

A successful attack could lead to unauthorized access to sensitive data, modification of critical configurations, or the deployment of malicious resources within the AWS environment. This could result in data breaches, service disruptions, or financial losses. The impact is highly dependent on the permissions associated with the compromised user account and the attacker's objectives. A single compromised account can affect multiple services and resources within the AWS infrastructure.

Detection coverage 2

AWS Console Login from New City

medium

Detects AWS console logins from a city not previously seen for a given user.

sigma tactics: initial_access techniques: T1078 sources: cloud, aws

AWS Console Login - Unexpected City (Baseline Deviation)

medium

This rule detects when a user logs into the AWS console from a city that deviates from their established baseline.

sigma tactics: initial_access techniques: T1078 sources: cloud, aws

Detection queries are available on the platform. Get full rules →