splApache-2.0from splunk/security_content

AWS Successful Single-Factor Authentication

The following analytic identifies a successful Console Login authentication event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. It leverages AWS CloudTrail logs to detect instances where MFA was not used during login. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the AWS environment, potentially leading to data exfiltration, resource manipulation, or further privilege escalation.

Quality

FP risk

—

Forks

Views

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.