{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-console/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Console"],"_cs_severities":["high"],"_cs_tags":["aws","password-spraying","credential-access"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting password spraying attacks targeting the AWS Console. The analytic identifies a single source IP address that fails to authenticate against a high number of unique AWS user accounts within a short time window. Password spraying is a technique where attackers attempt to gain unauthorized access by trying common passwords against many accounts. This activity, if successful, can lead to unauthorized access to AWS resources, data breaches, and further malicious activity within the cloud environment. The detection leverages AWS CloudTrail logs and focuses on \u003ccode\u003eConsoleLogin\u003c/code\u003e events with \u003ccode\u003efailure\u003c/code\u003e status. The threshold for triggering this alert is set to 30 unique accounts within 10 minutes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a list of potential AWS usernames.\u003c/li\u003e\n\u003cli\u003eThe attacker sends authentication requests to the AWS Console from a single source IP.\u003c/li\u003e\n\u003cli\u003eEach request attempts to log in to a different user account with a common password.\u003c/li\u003e\n\u003cli\u003eThe AWS Console responds with a failure event for each incorrect password attempt. These events are logged in AWS CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-4 with a different common password.\u003c/li\u003e\n\u003cli\u003eAfter a series of failed attempts across many accounts, one or more attempts might succeed due to weak passwords.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to an AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions within the AWS environment based on the permissions of the compromised account, such as data exfiltration, resource provisioning, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful password spraying attack against AWS can have significant consequences. It can lead to unauthorized access to sensitive data stored in AWS services such as S3 buckets, RDS databases, and EC2 instances. It can also allow attackers to provision new resources within the AWS environment, potentially leading to increased costs and further malicious activity. The impact can range from data breaches and service disruption to complete compromise of the AWS environment. The number of affected users and the severity of the impact depend on the permissions and access levels of the compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and actively monitor AWS CloudTrail logs for \u003ccode\u003eConsoleLogin\u003c/code\u003e events in all AWS regions to capture failed authentication attempts (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Multiple Failed Console Logins\u003c/code\u003e to identify potential password spraying attacks based on a high number of failed login attempts from a single IP address (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine the validity of the suspicious activity and take appropriate remediation steps, such as locking compromised accounts (rules).\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication (MFA) for all AWS user accounts to mitigate the risk of successful password spraying attacks.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting on login attempts to the AWS Console to slow down or prevent password spraying attacks.\u003c/li\u003e\n\u003cli\u003eReview the references provided to understand password spraying attack techniques and how to protect against them (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-28-aws-password-spray/","summary":"A single source IP attempts to authenticate to the AWS Console against multiple unique user accounts within a short timeframe, indicating a potential password spraying attack.","title":"AWS Password Spraying Attack via Multiple Failed Console Logins","url":"https://feed.craftedsignal.io/briefs/2024-01-28-aws-password-spray/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Console"],"_cs_severities":["medium"],"_cs_tags":["aws","cloud","credential-access","initial-access"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies instances of a user logging into the AWS console from a country that they have not previously logged in from. This behavior can indicate compromised credentials being used from a new location, or a user legitimately traveling and accessing the console from a different country. It is important to investigate these events to determine if they are authorized or malicious. While this activity could be benign, it serves as an important indicator for further investigation and potential incident escalation, especially when combined with other anomalous behaviors. The detection focuses on analyzing AWS CloudTrail logs for console login events and comparing the source IP's geolocation against historical login locations for the given user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains access to valid AWS credentials, possibly through phishing, credential stuffing, or malware. (T1190, T1566)\u003c/li\u003e\n\u003cli\u003eCredential Use: The attacker uses the stolen credentials to attempt to log into the AWS console from a country different from the user's typical login locations. (T1078)\u003c/li\u003e\n\u003cli\u003eAuthentication: The AWS console authenticates the attacker based on the provided credentials.\u003c/li\u003e\n\u003cli\u003eConsole Access: The attacker successfully logs into the AWS console.\u003c/li\u003e\n\u003cli\u003eReconnaissance: The attacker performs reconnaissance activities within the AWS environment to identify potential targets, sensitive data, or misconfigurations. (T1018, T1589)\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker attempts to escalate privileges to gain broader access to the AWS environment. (T1068)\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Impact: Depending on the attacker's goals, they might exfiltrate sensitive data, modify configurations, deploy malicious code, or disrupt services. (TA0010, TA0040)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to AWS resources, data breaches, service disruption, or financial losses. The severity depends on the attacker's privileges and the sensitivity of the accessed data. A compromised AWS account can provide a foothold for further attacks within the cloud infrastructure and potentially on-premises resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging to capture all API calls and console logins for analysis (log source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to identify potentially malicious login activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules and correlate them with other security events to determine the scope and impact of the potential breach.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-new-country-login/","summary":"Detects AWS console logins by a user from a previously unseen country, potentially indicating compromised credentials.","title":"AWS Console Login from New Country","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-new-country-login/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Console"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","password-spraying"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis analytic identifies potential password spraying attacks against the AWS Console. It uses CloudTrail logs to detect a single source IP address attempting to authenticate with multiple user accounts but failing. The detection leverages statistical analysis, specifically calculating the standard deviation of failed login attempts per source IP and applying a 3-sigma rule to identify outliers. This behavior is indicative of attackers trying to gain initial access to the AWS environment by systematically attempting common passwords across a range of usernames. The technique is often employed to bypass account lockout policies. This activity, if successful, can lead to unauthorized resource access, data breaches, or broader exploitation within the AWS environment. The original Splunk ES-CU analytic was published in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a list of valid usernames for the target AWS account, possibly through OSINT or previous breaches.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password spraying attack against the AWS Console, attempting to log in with each username from a single source IP address.\u003c/li\u003e\n\u003cli\u003eEach login attempt generates a CloudTrail ConsoleLogin event with a \u0026quot;failure\u0026quot; action.\u003c/li\u003e\n\u003cli\u003eThe AWS CloudTrail logs are ingested and analyzed by a SIEM or security analytics platform.\u003c/li\u003e\n\u003cli\u003eThe analytic calculates the number of distinct failed login attempts from each source IP within a specific time window (e.g., 10 minutes).\u003c/li\u003e\n\u003cli\u003eThe analytic identifies source IPs with a significantly higher than average number of failed login attempts compared to the historical baseline.\u003c/li\u003e\n\u003cli\u003eIf the attack is successful, the attacker gains access to the AWS account and can perform malicious activities such as data exfiltration, resource modification, or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful password spraying attacks against AWS accounts can lead to significant consequences. Attackers could gain unauthorized access to sensitive data stored in AWS services like S3 buckets or databases. Compromised accounts can also be used to launch further attacks against other systems and services within the AWS environment or connected to it. The potential impact includes data breaches, financial loss, reputational damage, and service disruption. The number of victims and the scale of damage vary depending on the attacker's objectives and the security measures in place.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Unusual Number of Failed Console Logins\u003c/code\u003e to detect potential password spraying attempts based on CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by examining the source IP address (\u003ccode\u003esrc\u003c/code\u003e) and the list of attempted usernames (\u003ccode\u003etried_accounts\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of password-based attacks.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for unusual login patterns and failed authentication attempts.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies for all AWS users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:22:30Z","date_published":"2024-01-02T18:22:30Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-console-login-spray/","summary":"A single source IP failing to authenticate into the AWS Console with multiple valid users, potentially indicating a password spraying attack against cloud resources.","title":"AWS Console Login Password Spraying","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-console-login-spray/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Console","version":"https://jsonfeed.org/version/1.1"}