Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS IAM user login without MFA #5074

Open
thuya-hacktilizer opened this issue Nov 9, 2024 · 1 comment
Open

AWS IAM user login without MFA #5074

thuya-hacktilizer opened this issue Nov 9, 2024 · 1 comment
Assignees
@nasbench
Labels
Create Pull-Request issues that should be provided as a pull request Work In Progress Some changes are needed

Comments

@thuya-hacktilizer
Copy link

The rule will detect IAM user console login without MFA.

title: AWS IAM user login without MFA
id: -
status: stable
description: IAM user login without MFA which will break security as well as compliance.
references:
- https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
author: Thuya@Hacktilizer
date: 2024-11-08
modified: 2024-11-08
tags:
- attack.Initial Access
- attack.T1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
additionalEventData.MFAUsed: 'NO'
condition: selection
falsepositives:
- legit user login without MFA (Account is not using MFA for legitimate reason)
level: medium

Public References / Exampel Event Log

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html

{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::999999999999:user/Anaya",
"accountId": "999999999999",
"userName": "Anaya"
},
"eventTime": "2023-07-19T21:44:40Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplee9aba7f8",
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "e1bf1000-86a4-4a78-81d7-EXAMPLE83102",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "999999999999",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
}
}
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 9, 2024

Welcome @thuya-hacktilizer 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

@nasbench nasbench added Work In Progress Some changes are needed Create Pull-Request issues that should be provided as a pull request labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
Create Pull-Request issues that should be provided as a pull request Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nasbench @thuya-hacktilizer