security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] AWS Management Console Attempted Root Login Brute Force (#88)

Browse Source 
* Create initial_access_root_console_failure_brute_force.toml

* bumping threshold value to 10

* Update rules/aws/initial_access_root_console_failure_brute_force.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/aws/initial_access_root_console_failure_brute_force.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update initial_access_root_console_failure_brute_force.toml

* Update rules/aws/initial_access_root_console_failure_brute_force.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update initial_access_root_console_failure_brute_force.toml

* update with FP info

* update threshold field

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-09-28 13:37:22 -04:00
committed by GitHub
parent 0affb48b07
commit 8a5e0dd441
1 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/aws/initial_access_root_console_failure_brute_force.toml
+53
View File
@@ -0,0 +1,53 @@
[metadata]
creation_date = "2020/07/21"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/09/03"
[rule]
author = ["Elastic"]
description = """
Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An
adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services
and resources for the AWS account.
"""
false_positives = [
"""
Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
positives.
""",
]
from = "now-20m"
index = ["filebeat-*", "logs-aws*"]
language = "kuery"
license = "Elastic License"
name = "AWS Management Console Brute Force of Root User Identity"
note = "The AWS Filebeat module must be enabled to use this rule."
references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
risk_score = 73
rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
severity = "high"
tags = ["AWS", "Continuous Monitoring", "Elastic", "Identity and Access", "SecOps"]
type = "threshold"
query = '''
event.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.threshold]
field = "cloud.account.id"
value = 10