Detectionmediumexperimental
AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic1 selector
detection:
selection:
eventName: 'ConsoleLogin'
additionalEventData.MFAUsed: 'NO'
responseElements.ConsoleLogin: 'Success'
condition: selectionFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Rule Metadata
Rule ID
77caf516-34e5-4df9-b4db-20744fea0a60
Status
experimental
Level
medium
Type
Detection
Created
Sat Oct 18
Modified
Tue Oct 21
Author
Path
rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml
Raw Tags
attack.initial-accessattack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1078.004