Techniques
Sample rules
Azure AD Concurrent Sessions From Different Ips
- source: splunk
- technicques:
- T1185
Description
The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.
Detection logic
`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs
| rename properties.* as *
| bucket span=30m _time
| stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user
| where unique_ips > 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_concurrent_sessions_from_different_ips_filter`
ASL AWS Concurrent Sessions From Different Ips
- source: splunk
- technicques:
- T1185
Description
The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name DescribeEventAggregates is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.
Detection logic
`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal"
| bin span=5m _time
| stats values(src_endpoint.ip) as src_endpoint.ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name
| where distinct_ip_count > 1
| `aws_concurrent_sessions_from_different_ips_filter`
AWS Concurrent Sessions From Different Ips
- source: splunk
- technicques:
- T1185
Description
The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name DescribeEventAggregates is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.
Detection logic
`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal"
| bin span=5m _time
| stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn
| where distinct_ip_count > 1
| `aws_concurrent_sessions_from_different_ips_filter`