LoFP / a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.

Techniques

• T1110.001
• T1110.003
• T1535
• T1586

Sample rules

AWS Successful Console Authentication From Multiple IPs

• source: splunk
• technicques:
  • T1586
  • T1535

Description

The following analytic detects an AWS account successfully authenticating from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail logs, specifically monitoring ConsoleLogin events and counting distinct source IPs. This behavior is significant as it may indicate compromised credentials, potentially from a phishing attack, being used concurrently by an adversary and a legitimate user. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the AWS environment.

Detection logic

`cloudtrail` eventName = ConsoleLogin 
| bin span=5m _time 
| rename user_name as user 
| stats  dc(src) as distinct_ip_count values(src) as src values(user_agent) as user_agent values(dest) as dest by _time, user, signature, vendor_account, vendor_region, vendor_product 
| where distinct_ip_count>1 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_successful_console_authentication_from_multiple_ips_filter`

Azure AD Successful Authentication From Different Ips

• source: splunk
• technicques:
  • T1110.001
  • T1110.003

Description

The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.

Detection logic

`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs 
| rename properties.* as * 
| bucket span=30m _time 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime dc(src) AS unique_ips values(dest) as dest values(src) as src by user vendor_account vendor_product signature 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| where unique_ips > 1 
| `azure_ad_successful_authentication_from_different_ips_filter`