From 8a5e0dd4413414269cb03eccce03f4d61b27d83f Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Mon, 28 Sep 2020 13:37:22 -0400 Subject: [PATCH] [New Rule] AWS Management Console Attempted Root Login Brute Force (#88) * Create initial_access_root_console_failure_brute_force.toml * bumping threshold value to 10 * Update rules/aws/initial_access_root_console_failure_brute_force.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/aws/initial_access_root_console_failure_brute_force.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update initial_access_root_console_failure_brute_force.toml * Update rules/aws/initial_access_root_console_failure_brute_force.toml Co-authored-by: Justin Ibarra * Update initial_access_root_console_failure_brute_force.toml * update with FP info * update threshold field Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra --- ...cess_root_console_failure_brute_force.toml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 rules/aws/initial_access_root_console_failure_brute_force.toml diff --git a/rules/aws/initial_access_root_console_failure_brute_force.toml b/rules/aws/initial_access_root_console_failure_brute_force.toml new file mode 100644 index 000000000..990c37103 --- /dev/null +++ b/rules/aws/initial_access_root_console_failure_brute_force.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/07/21" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/09/03" + +[rule] +author = ["Elastic"] +description = """ +Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An +adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services +and resources for the AWS account. +""" +false_positives = [ + """ + Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false + positives. + """, +] +from = "now-20m" +index = ["filebeat-*", "logs-aws*"] +language = "kuery" +license = "Elastic License" +name = "AWS Management Console Brute Force of Root User Identity" +note = "The AWS Filebeat module must be enabled to use this rule." +references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] +risk_score = 73 +rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef" +severity = "high" +tags = ["AWS", "Continuous Monitoring", "Elastic", "Identity and Access", "SecOps"] +type = "threshold" + +query = ''' +event.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[rule.threshold] +field = "cloud.account.id" +value = 10