AWS Successful Single-Factor Authentication

Name:AWS Successful Single-Factor Authentication
id:a520b1fe-cc9e-4f56-b762-18354594c52f
version:3
date:2024-09-30
author:Bhavin Patel, Splunk
status:production
type:TTP
Description:The following analytic identifies a successful Console Login authentication event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. It leverages AWS CloudTrail logs to detect instances where MFA was not used during login. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the AWS environment, potentially leading to data exfiltration, resource manipulation, or further privilege escalation.
Data_source:

• -AWS CloudTrail ConsoleLogin

search:`cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No
| stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_successful_single_factor_authentication_filter`

how_to_implement:The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.
known_false_positives:It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS.
References:
  -https://attack.mitre.org/techniques/T1621/
  -https://attack.mitre.org/techniques/T1078/004/
  -https://aws.amazon.com/what-is/mfa/
drilldown_searches:
 name:'View the detection results for - "$user_name$"'
 search:'%original_detection_search% | search user_name = "$user_name$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user_name$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'AWS Identity and Access Management Account Takeover'
  asset_type:AWS Account
  confidence:80
  impact:80
  message:User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$
  mitre_attack_id:
    - 'T1586'
    - 'T1586.003'
    - 'T1078'
    - 'T1078.004'
  observable:
    name:'user_name'
    type:'User'
    - role:
      - 'Victim'
    name:'src'
    type:'IP Address'
    - role:
      - 'Attacker'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - 'src'
    - 'eventName'
    - 'eventSource'
    - 'aws_account_id'
    - 'errorCode'
    - 'additionalEventData.MFAUsed'
    - 'userAgent'
    - 'eventID'
    - 'awsRegion'
    - 'user_name'
    - 'userIdentity.arn'
  risk_score:64
  security_domain:threat

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/aws_login_sfa/cloudtrail.json
  sourcetype: aws:cloudtrail
  source: aws_cloudtrail
  update_timestamp: True
manual_test:None