AWS High Number of Failed Console Login Attempts
An IP address exhibiting more than 20 failed AWS console login attempts within a 5-minute window, indicative of potential brute-force or password spraying attacks against AWS accounts.
This analytic identifies potential brute-force or password spraying attacks against AWS accounts. It focuses on detecting a high volume of failed console login attempts originating from a single IP address within a short timeframe. Specifically, it triggers when an IP exhibits 20 or more failed login attempts within a 5-minute window, as recorded in AWS CloudTrail logs. The activity is based on the eventName ConsoleLogin with a failure action. Successful exploitation could lead to unauthorized access to AWS resources, data breaches, and further malicious activity within the AWS environment. The detection is designed to identify and alert on suspicious authentication patterns that bypass normal security measures and represent a significant risk to AWS account security.
Attack Chain
- Initial Access: The attacker attempts to gain initial access to the AWS environment by targeting the AWS Management Console login page.
- Credential Guessing: The attacker initiates a password spraying or brute-force attack, attempting to authenticate with multiple usernames and passwords from a single IP address (T1110.003, T1110.004).
- CloudTrail Logging: AWS CloudTrail logs each failed
ConsoleLoginattempt, capturing the source IP address (src), username (user_name), and timestamp. - Log Aggregation: The security monitoring system collects and aggregates the CloudTrail logs.
- Threshold Breach: The system identifies an IP address that exceeds the defined threshold of 20 failed login attempts within a 5-minute window.
- Alert Trigger: An alert is generated, indicating a potential brute-force or password spraying attack.
- Account Compromise (Potential): If the attacker successfully guesses valid credentials, they gain unauthorized access to the AWS account.
- Lateral Movement/Data Exfiltration (Potential): Once inside the AWS environment, the attacker could potentially move laterally to access other resources or exfiltrate sensitive data.
Impact
A successful brute-force or password spraying attack can lead to complete compromise of the AWS account. This can result in unauthorized access to sensitive data, modification or deletion of critical resources, and financial losses due to resource abuse. The number of affected users and the extent of the damage will depend on the attacker's skill and the permissions associated with the compromised account. This type of attack may lead to compliance violations and reputational damage.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune the
failed_attemptsthreshold andspanduration based on your environment's baseline login activity. - Investigate any triggered alerts by examining the source IP address (
src) in the CloudTrail logs and correlate with other network activity. - Enforce multi-factor authentication (MFA) on all AWS accounts to mitigate the risk of credential-based attacks.
- Monitor CloudTrail logs for other suspicious activities originating from the identified IP address.
- Implement account lockout policies to automatically disable accounts after a certain number of failed login attempts.
Detection coverage 2
AWS High Number Of Failed Console Logins
highDetects an IP address with a high number of failed AWS console login attempts within a short timeframe, indicating potential brute-force or password spraying.
AWS Failed Console Login with Specific User Agent
mediumDetects failed AWS console logins with a specific user agent, potentially indicating automated tools.
Detection queries are available on the platform. Get full rules →