From c1a1cf685425a7c352dfad14dcb0ca37c50b2a1c Mon Sep 17 00:00:00 2001 From: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com> Date: Tue, 7 Jul 2020 08:26:51 -0700 Subject: [PATCH] [New Rule] AWS Root Login Without MFA Co-authored-by: Derek Ditch Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...ege_escalation_root_login_without_mfa.toml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 rules/aws/privilege_escalation_root_login_without_mfa.toml diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml new file mode 100644 index 000000000..59b3539f5 --- /dev/null +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2020/07/06" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/07/07" + +[rule] +author = ["Elastic"] +description = """ +Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best +practices indicate that the root user should be protected by MFA. +""" +false_positives = [ + """ + Some organizations allow login with the root user without MFA, however this is not considered best practice by AWS + and increases the risk of compromised credentials. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS Root Login Without MFA" +references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] +risk_score = 21 +rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc" +severity = "low" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"