Potential brute force attack on AWS ConsoleLogin

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a user is a victim of an Account Take Over (ATO) by a brute force attack.

Strategy

This rule monitors CloudTrail and detects when any @evt.name has a value of Console Login, and @responseElements.ConsoleLogin has a value of Failure.

Triage and response

  1. Determine if the user logged in with 2FA.
  2. Reach out to the user and ensure the login was legitimate.

Changelog

  • 17 March 2022 - Updated rule query.
  • 10 February 2023 - Updated rule query.
  • 10 July 2023 - Updated group by fields.