Detectionmediumexperimental

AWS ConsoleLogin Failed Authentication

Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ivan Saakov, Nasreddine Bencherchali (Nextron Systems)Created Sun Oct 196393e346-1977-46ef-8987-ad414a145fadcloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventName: 'ConsoleLogin'
        errorMessage: 'Failed authentication'
    condition: selection

False Positives

Legitimate failed login attempts by authorized users. Investigate the source of repeated failed login attempts.

References

media.githubusercontent.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Techniques

T1110 · Brute Force

Rule Metadata

Rule ID

6393e346-1977-46ef-8987-ad414a145fad

Status

experimental

Level

medium

Type

Detection

Created

Sun Oct 19

Author

Ivan Saakov, Nasreddine Bencherchali (Nextron Systems)

Path

rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_failed_authentication.yml

Raw Tags

attack.credential-accessattack.t1110

View on GitHub