LoFP / no known false postives for this detection. please review this alert

• T1110
• T1110.003
• T1110.004
• T1586
• T1586.003

Sample rules

AWS Multiple Users Failing To Authenticate From Ip

• source: splunk
• technicques:
  • T1110
  • T1110.003
  • T1110.004

Description

The following analytic identifies a single source IP failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. It leverages CloudTrail logs to detect multiple failed login attempts from the same IP address. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain unauthorized access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.

Detection logic

`cloudtrail` eventName=ConsoleLogin action=failure 
| bucket span=10m _time 
| stats  dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip 
| where unique_accounts>30 
| `aws_multiple_users_failing_to_authenticate_from_ip_filter`

AWS Unusual Number of Failed Authentications From Ip

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1110
  • T1110.003
  • T1110.004

Description

The following analytic identifies a single source IP failing to authenticate into the AWS Console with multiple valid users. It uses CloudTrail logs and calculates the standard deviation for source IP, leveraging the 3-sigma rule to detect unusual numbers of failed authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.

Detection logic

`cloudtrail` eventName=ConsoleLogin action=failure 
| bucket span=10m _time 
| stats  dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip 
| eventstats  avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time 
| eval  upperBound=(avg_attempts+ip_std*3) 
| eval  isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) 
| where isOutlier = 1 
|`aws_unusual_number_of_failed_authentications_from_ip_filter`

GCP Multiple Users Failing To Authenticate From Ip

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1110
  • T1110.003
  • T1110.004

Description

The following analytic detects a single source IP address failing to authenticate into more than 20 unique Google Workspace user accounts within a 5-minute window. It leverages Google Workspace login failure events to identify potential password spraying attacks. This activity is significant as it may indicate an adversary attempting to gain unauthorized access or elevate privileges within the Google Cloud Platform. If confirmed malicious, this behavior could lead to unauthorized access to sensitive resources, data breaches, or further exploitation within the environment.

Detection logic

`gws_reports_login` event.type = login event.name = login_failure 
| bucket span=5m _time 
| stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|  where unique_accounts > 20 
| `gcp_multiple_users_failing_to_authenticate_from_ip_filter`