AWS consoler detected

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a AWS consoler is seen in AWS CloudTrail logs.

Strategy

This rule monitors AWS CloudTrail logs for the GetCallerIdentity API call with the parameter aws_consoler. AWS consoler is a tool that converts AWS CLI credentials into AWS console access. While this tool can be used legitimately by teams, it may also be used by attackers to gain access to a victim’s console.

Triage and response

  1. Determine if your organization is using the AWS consoler.
  2. If it is an internal tool, notify the relevant team so that the leaked key can be triaged appropriately.
  3. If the results of the triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable or rotate the affected credential.
    • Investigate any actions taken by the identity {{@userIdentity.arn}}.
    • Work with the relevant teams to remove the key from any source code repositories.