Console Login without MFA

idempotent

Platform: AWS

MITRE ATT&CK Tactics

• Initial Access

Description

Simulates a login to the AWS Console for an IAM user without multi-factor authentication (MFA).

Warm-up:

• Create an IAM user
• Create a console profile for this user so it can log in to the AWS Console

Detonation:

• Log in to the AWS Console

References:

• https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
• https://naikordian.github.io/blog/posts/brute-force-aws-console/

Instructions

Detonate with Stratus Red Team

stratus detonate aws.initial-access.console-login-without-mfa

Detection

Using CloudTrail ConsoleLogin event. The field additionalEventData.MFAUser is set to No when the authentication does not use MFA.

Sample CloudTrail event (redacted for clarity):

{
    "userIdentity": {
        "session_name": "console-user-wgrosmao",
        "type": "IAMUser",
        "arn": "arn:aws:iam::123456789123:user/console-user-wgrosmao",
        "accountId": "123456789123",
        "userName": "console-user-wgrosmao",
        "principalId": "AIDA254BBSGPKOYEB6PTV"
    },
    "eventSource": "signin.amazonaws.com",
    "eventType": "AwsConsoleSignIn",
    "eventCategory": "Management",
    "awsRegion": "us-east-1",
    "eventName": "ConsoleLogin",
    "readOnly": false,
    "eventTime": "2022-05-30T14:24:34Z",
    "managementEvent": true,
    "additionalEventData": {
        "MFAUsed": "No",
        "LoginTo": "https://console.aws.amazon.com/console/home",
        "MobileVersion": "No"
    },
    "responseElements": {
        "ConsoleLogin": "Success"
    }
}

Note that for failed console authentication events, the field userIdentity.arn is not set (see https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html#cloudtrail-aws-console-sign-in-events-iam-user-failure).