{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/federated-user/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Web Services","AWS Management Console"],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","federated-user","initial-access"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies when a federated user successfully logs into the AWS Management Console. Federated users are granted temporary credentials to access AWS resources. A potential security risk arises if MFA is not enforced, as adversaries might exploit stolen or misconfigured credentials to gain unauthorized access. CloudTrail alone cannot reliably indicate MFA usage for federated logins. The rule increases priority if a related 'GetSigninToken' event has a different source IP, ASN, geo, or user-agent from the subsequent 'ConsoleLogin', suggesting possible token relay or abuse. This alert requires correlation with Identity Provider (IdP) authentication logs to confirm MFA enforcement for the session. This detection is crucial for organizations relying on federated access for AWS resources, as it helps identify potentially compromised accounts or misconfigured access policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid credentials for a federated user, potentially through phishing, credential stuffing, or insider threat.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the stolen credentials to request a sign-in token using \u003ccode\u003eGetSigninToken\u003c/code\u003e from \u003ccode\u003esignin.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a \u003ccode\u003eConsoleLogin\u003c/code\u003e event to the AWS Management Console using the obtained sign-in token.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eConsoleLogin\u003c/code\u003e event is recorded in AWS CloudTrail with \u003ccode\u003eaws.cloudtrail.user_identity.type\u003c/code\u003e as \u0026quot;FederatedUser\u0026quot; and \u003ccode\u003eevent.outcome\u003c/code\u003e as \u0026quot;success\u0026quot;.\u003c/li\u003e\n\u003cli\u003eDefenders observe the \u003ccode\u003eConsoleLogin\u003c/code\u003e event and correlate it with IdP logs to ascertain if MFA was enforced during authentication.\u003c/li\u003e\n\u003cli\u003eIf MFA was not enforced and the source IP/ASN/geo are suspicious, the attacker proceeds to perform unauthorized actions within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt lateral movement or privilege escalation using the federated user's granted permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, resource destruction, or deploying malicious infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, compromise of critical infrastructure, and potential financial losses. The severity depends on the permissions granted to the compromised federated user. Organizations in all sectors using AWS federated access are at risk. Without proper MFA enforcement, the likelihood of successful exploitation significantly increases. Failure to detect and respond to such incidents can result in compliance violations and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect successful AWS Management Console logins by federated users (see 'AWS Federated User Console Login' Sigma rule).\u003c/li\u003e\n\u003cli\u003eCorrelate identified \u003ccode\u003eConsoleLogin\u003c/code\u003e events with Identity Provider (IdP) logs to verify MFA enforcement, focusing on discrepancies in source IP, ASN, geo, or user-agent between 'GetSigninToken' and 'ConsoleLogin' events.\u003c/li\u003e\n\u003cli\u003eImplement or enforce multi-factor authentication (MFA) for all federated user accounts to enhance security and prevent similar incidents in the future.\u003c/li\u003e\n\u003cli\u003eReview and update IAM policies and roles associated with federated users to ensure they follow the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eMaintain allow-lists for corp/VPN CIDRs, approved ASNs, and known automation user-agents to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-08-19T00:00:00Z","date_published":"2024-08-19T00:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-08-aws-federated-console-login/","summary":"Detection of successful AWS Management Console logins by federated users, which pose a security risk due to potential lack of enforced MFA as CloudTrail does not reliably record MFA status for federated users.","title":"AWS Federated User Console Login without MFA Enforcement","url":"https://feed.craftedsignal.io/briefs/2024-08-aws-federated-console-login/"}],"language":"en","title":"CraftedSignal Threat Feed - Federated-User","version":"https://jsonfeed.org/version/1.1"}