Detectionmediumtest

AWS Root Credentials

Detects AWS root account usage

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

vitaliy0x1Created Tue Jan 21Updated Sun Oct 098ad1600d-e9dc-4251-b0ee-a65268f29addcloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection_usertype:
        userIdentity.type: Root
    selection_eventtype:
        eventType: AwsServiceEvent
    condition: selection_usertype and not selection_eventtype

False Positives

AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html

References

Resolving title…

docs.aws.amazon.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0001 · Initial Access TA0003 · Persistence

Sub-techniques

T1078.004 · Cloud Accounts

Rule Metadata

Rule ID

8ad1600d-e9dc-4251-b0ee-a65268f29add

Status

test

Level

medium

Type

Detection

Created

Tue Jan 21

Modified

Sun Oct 09

Author

vitaliy0x1

Path

rules/cloud/aws/cloudtrail/aws_root_account_usage.yml

Raw Tags

attack.privilege-escalationattack.defense-evasionattack.initial-accessattack.persistenceattack.t1078.004

View on GitHub