Potential brute force attack on AWS ConsoleLogin

cloudtrail

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a user is a victim of an Account Take Over (ATO) by a brute force attack.

Strategy

This rule monitors CloudTrail and detects when any @evt.name has a value of Console Login, and @responseElements.ConsoleLogin has a value of Failure.

Triage and response

  1. Determine if the user logged in with 2FA.
  2. Reach out to the user and ensure the login was legitimate.

Changelog

  • 17 March 2022 - Updated rule query.
  • 10 February 2023 - Updated rule query.
  • 10 July 2023 - Updated group by fields.