<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Console - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-console/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 28 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-console/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Password Spraying Attack via Multiple Failed Console Logins</title><link>https://feed.craftedsignal.io/briefs/2024-01-28-aws-password-spray/</link><pubDate>Sun, 28 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-28-aws-password-spray/</guid><description>A single source IP attempts to authenticate to the AWS Console against multiple unique user accounts within a short timeframe, indicating a potential password spraying attack.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting password spraying attacks targeting the AWS Console. The analytic identifies a single source IP address that fails to authenticate against a high number of unique AWS user accounts within a short time window. Password spraying is a technique where attackers attempt to gain unauthorized access by trying common passwords against many accounts. This activity, if successful, can lead to unauthorized access to AWS resources, data breaches, and further malicious activity within the cloud environment. The detection leverages AWS CloudTrail logs and focuses on <code>ConsoleLogin</code> events with <code>failure</code> status. The threshold for triggering this alert is set to 30 unique accounts within 10 minutes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a list of potential AWS usernames.</li>
<li>The attacker sends authentication requests to the AWS Console from a single source IP.</li>
<li>Each request attempts to log in to a different user account with a common password.</li>
<li>The AWS Console responds with a failure event for each incorrect password attempt. These events are logged in AWS CloudTrail.</li>
<li>The attacker repeats steps 2-4 with a different common password.</li>
<li>After a series of failed attempts across many accounts, one or more attempts might succeed due to weak passwords.</li>
<li>The attacker gains access to an AWS account.</li>
<li>The attacker can then perform actions within the AWS environment based on the permissions of the compromised account, such as data exfiltration, resource provisioning, or lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful password spraying attack against AWS can have significant consequences. It can lead to unauthorized access to sensitive data stored in AWS services such as S3 buckets, RDS databases, and EC2 instances. It can also allow attackers to provision new resources within the AWS environment, potentially leading to increased costs and further malicious activity. The impact can range from data breaches and service disruption to complete compromise of the AWS environment. The number of affected users and the severity of the impact depend on the permissions and access levels of the compromised accounts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and actively monitor AWS CloudTrail logs for <code>ConsoleLogin</code> events in all AWS regions to capture failed authentication attempts (data_source).</li>
<li>Deploy the Sigma rule <code>AWS Multiple Failed Console Logins</code> to identify potential password spraying attacks based on a high number of failed login attempts from a single IP address (rules).</li>
<li>Investigate any alerts triggered by the Sigma rule to determine the validity of the suspicious activity and take appropriate remediation steps, such as locking compromised accounts (rules).</li>
<li>Enforce strong password policies and multi-factor authentication (MFA) for all AWS user accounts to mitigate the risk of successful password spraying attacks.</li>
<li>Consider implementing rate limiting on login attempts to the AWS Console to slow down or prevent password spraying attacks.</li>
<li>Review the references provided to understand password spraying attack techniques and how to protect against them (references).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>password-spraying</category><category>credential-access</category></item><item><title>AWS Console Login from New Country</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-new-country-login/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-new-country-login/</guid><description>Detects AWS console logins by a user from a previously unseen country, potentially indicating compromised credentials.</description><content:encoded><![CDATA[<p>This detection identifies instances of a user logging into the AWS console from a country that they have not previously logged in from. This behavior can indicate compromised credentials being used from a new location, or a user legitimately traveling and accessing the console from a different country. It is important to investigate these events to determine if they are authorized or malicious. While this activity could be benign, it serves as an important indicator for further investigation and potential incident escalation, especially when combined with other anomalous behaviors. The detection focuses on analyzing AWS CloudTrail logs for console login events and comparing the source IP's geolocation against historical login locations for the given user.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains access to valid AWS credentials, possibly through phishing, credential stuffing, or malware. (T1190, T1566)</li>
<li>Credential Use: The attacker uses the stolen credentials to attempt to log into the AWS console from a country different from the user's typical login locations. (T1078)</li>
<li>Authentication: The AWS console authenticates the attacker based on the provided credentials.</li>
<li>Console Access: The attacker successfully logs into the AWS console.</li>
<li>Reconnaissance: The attacker performs reconnaissance activities within the AWS environment to identify potential targets, sensitive data, or misconfigurations. (T1018, T1589)</li>
<li>Privilege Escalation (Optional): The attacker attempts to escalate privileges to gain broader access to the AWS environment. (T1068)</li>
<li>Data Exfiltration/Impact: Depending on the attacker's goals, they might exfiltrate sensitive data, modify configurations, deploy malicious code, or disrupt services. (TA0010, TA0040)</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to unauthorized access to AWS resources, data breaches, service disruption, or financial losses. The severity depends on the attacker's privileges and the sensitivity of the accessed data. A compromised AWS account can provide a foothold for further attacks within the cloud infrastructure and potentially on-premises resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail logging to capture all API calls and console logins for analysis (log source).</li>
<li>Deploy the Sigma rules in this brief to your SIEM to identify potentially malicious login activity.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of credential compromise.</li>
<li>Investigate any alerts generated by the Sigma rules and correlate them with other security events to determine the scope and impact of the potential breach.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>cloud</category><category>credential-access</category><category>initial-access</category></item><item><title>AWS Console Login Password Spraying</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-aws-console-login-spray/</link><pubDate>Tue, 02 Jan 2024 18:22:30 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-aws-console-login-spray/</guid><description>A single source IP failing to authenticate into the AWS Console with multiple valid users, potentially indicating a password spraying attack against cloud resources.</description><content:encoded><![CDATA[<p>This analytic identifies potential password spraying attacks against the AWS Console. It uses CloudTrail logs to detect a single source IP address attempting to authenticate with multiple user accounts but failing. The detection leverages statistical analysis, specifically calculating the standard deviation of failed login attempts per source IP and applying a 3-sigma rule to identify outliers. This behavior is indicative of attackers trying to gain initial access to the AWS environment by systematically attempting common passwords across a range of usernames. The technique is often employed to bypass account lockout policies. This activity, if successful, can lead to unauthorized resource access, data breaches, or broader exploitation within the AWS environment. The original Splunk ES-CU analytic was published in April 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a target AWS account.</li>
<li>The attacker obtains a list of valid usernames for the target AWS account, possibly through OSINT or previous breaches.</li>
<li>The attacker initiates a password spraying attack against the AWS Console, attempting to log in with each username from a single source IP address.</li>
<li>Each login attempt generates a CloudTrail ConsoleLogin event with a &quot;failure&quot; action.</li>
<li>The AWS CloudTrail logs are ingested and analyzed by a SIEM or security analytics platform.</li>
<li>The analytic calculates the number of distinct failed login attempts from each source IP within a specific time window (e.g., 10 minutes).</li>
<li>The analytic identifies source IPs with a significantly higher than average number of failed login attempts compared to the historical baseline.</li>
<li>If the attack is successful, the attacker gains access to the AWS account and can perform malicious activities such as data exfiltration, resource modification, or privilege escalation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful password spraying attacks against AWS accounts can lead to significant consequences. Attackers could gain unauthorized access to sensitive data stored in AWS services like S3 buckets or databases. Compromised accounts can also be used to launch further attacks against other systems and services within the AWS environment or connected to it. The potential impact includes data breaches, financial loss, reputational damage, and service disruption. The number of victims and the scale of damage vary depending on the attacker's objectives and the security measures in place.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS Unusual Number of Failed Console Logins</code> to detect potential password spraying attempts based on CloudTrail logs.</li>
<li>Investigate alerts generated by the Sigma rule by examining the source IP address (<code>src</code>) and the list of attempted usernames (<code>tried_accounts</code>).</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of password-based attacks.</li>
<li>Monitor AWS CloudTrail logs for unusual login patterns and failed authentication attempts.</li>
<li>Review and enforce strong password policies for all AWS users.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>password-spraying</category></item></channel></rss>