← Library
yara-lApache-2.0from chronicle/detection-rules

aws_console_login_without_mfa

Detect when a user logs into AWS console without MFA.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1078T1078.004
Rule sourcerules/community/aws/cloudtrail/aws_console_login_without_mfa.yaral
/*
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule aws_console_login_without_mfa {

    meta:
      author = "Google Cloud Security"
      description = "Detect when a user logs into AWS console without MFA."
      rule_id = "mr_b03d1e57-7ed0-49e7-b125-6c18b364ae8c"
      rule_name = "AWS Console Login Without MFA"
      mitre_attack_tactic = "Initial Access"
      mitre_attack_technique = "Valid Accounts: Cloud Accounts"
      mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
      mitre_attack_version = "v13.1"
      type = "Alert"
      data_source = "AWS CloudTrail"
      platform = "AWS"
      severity = "Low"
      priority = "Low"

    events:

      $login.metadata.vendor_name = "AMAZON"
      $login.metadata.product_name = "AWS CloudTrail"
      $login.metadata.event_type = "USER_LOGIN"
      $login.metadata.product_event_type = "ConsoleLogin"
      $login.security_result.action= "ALLOW"
      $login.extensions.auth.auth_details = "MFAUsed: No"
      $login.additional.fields["recipientAccountId"] = $account_id

    match:
      $account_id over 1h

    outcome:
      $risk_score = max(
        //Baseline
        35 +
        if($login.principal.resource.type = "Root", 50)
      )
      $mitre_attack_tactic = "Initial Access"
      $mitre_attack_technique = "Valid Accounts: Cloud Accounts"
      $mitre_attack_technique_id = "T1078.004"
      $event_count = count_distinct($login.metadata.id)
      $network_http_user_agent = array_distinct($login.network.http.user_agent)
      $principal_ip = array_distinct($login.principal.ip)
      $principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
      $principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
      $target_user_display_name = array_distinct($login.target.user.user_display_name)
      $target_user_userid = array_distinct($login.target.user.userid)
      $is_mfa_used = array_distinct($login.extensions.auth.auth_details)
      $target_resource_name = array_distinct($login.target.resource.name)
      $target_resource_product_object_id = array_distinct($login.target.resource.product_object_id)

    condition:
      $login
}