<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Federated-User - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/federated-user/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 19 Aug 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/federated-user/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Federated User Console Login without MFA Enforcement</title><link>https://feed.craftedsignal.io/briefs/2024-08-aws-federated-console-login/</link><pubDate>Mon, 19 Aug 2024 00:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-08-aws-federated-console-login/</guid><description>Detection of successful AWS Management Console logins by federated users, which pose a security risk due to potential lack of enforced MFA as CloudTrail does not reliably record MFA status for federated users.</description><content:encoded><![CDATA[<p>This detection identifies when a federated user successfully logs into the AWS Management Console. Federated users are granted temporary credentials to access AWS resources. A potential security risk arises if MFA is not enforced, as adversaries might exploit stolen or misconfigured credentials to gain unauthorized access. CloudTrail alone cannot reliably indicate MFA usage for federated logins. The rule increases priority if a related 'GetSigninToken' event has a different source IP, ASN, geo, or user-agent from the subsequent 'ConsoleLogin', suggesting possible token relay or abuse. This alert requires correlation with Identity Provider (IdP) authentication logs to confirm MFA enforcement for the session. This detection is crucial for organizations relying on federated access for AWS resources, as it helps identify potentially compromised accounts or misconfigured access policies.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains valid credentials for a federated user, potentially through phishing, credential stuffing, or insider threat.</li>
<li>The attacker leverages the stolen credentials to request a sign-in token using <code>GetSigninToken</code> from <code>signin.amazonaws.com</code>.</li>
<li>The attacker initiates a <code>ConsoleLogin</code> event to the AWS Management Console using the obtained sign-in token.</li>
<li>The <code>ConsoleLogin</code> event is recorded in AWS CloudTrail with <code>aws.cloudtrail.user_identity.type</code> as &quot;FederatedUser&quot; and <code>event.outcome</code> as &quot;success&quot;.</li>
<li>Defenders observe the <code>ConsoleLogin</code> event and correlate it with IdP logs to ascertain if MFA was enforced during authentication.</li>
<li>If MFA was not enforced and the source IP/ASN/geo are suspicious, the attacker proceeds to perform unauthorized actions within the AWS environment.</li>
<li>The attacker may attempt lateral movement or privilege escalation using the federated user's granted permissions.</li>
<li>The attacker achieves their objective, such as data exfiltration, resource destruction, or deploying malicious infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to unauthorized access to sensitive data, compromise of critical infrastructure, and potential financial losses. The severity depends on the permissions granted to the compromised federated user. Organizations in all sectors using AWS federated access are at risk. Without proper MFA enforcement, the likelihood of successful exploitation significantly increases. Failure to detect and respond to such incidents can result in compliance violations and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the following Sigma rule to detect successful AWS Management Console logins by federated users (see 'AWS Federated User Console Login' Sigma rule).</li>
<li>Correlate identified <code>ConsoleLogin</code> events with Identity Provider (IdP) logs to verify MFA enforcement, focusing on discrepancies in source IP, ASN, geo, or user-agent between 'GetSigninToken' and 'ConsoleLogin' events.</li>
<li>Implement or enforce multi-factor authentication (MFA) for all federated user accounts to enhance security and prevent similar incidents in the future.</li>
<li>Review and update IAM policies and roles associated with federated users to ensure they follow the principle of least privilege.</li>
<li>Maintain allow-lists for corp/VPN CIDRs, approved ASNs, and known automation user-agents to reduce false positives.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>federated-user</category><category>initial-access</category></item></channel></rss>