Console Login without MFA
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Initial Access
Description
Simulates a login to the AWS Console for an IAM user without multi-factor authentication (MFA).
Warm-up:
- Create an IAM user
- Create a console profile for this user so it can log in to the AWS Console
Detonation:
- Log in to the AWS Console
References:
- https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
- https://naikordian.github.io/blog/posts/brute-force-aws-console/
Instructions
Detection
Using CloudTrail ConsoleLogin
event. The field additionalEventData.MFAUser
is set to
No
when the authentication does not use MFA.
Sample CloudTrail event (redacted for clarity):
{
"userIdentity": {
"session_name": "console-user-wgrosmao",
"type": "IAMUser",
"arn": "arn:aws:iam::123456789123:user/console-user-wgrosmao",
"accountId": "123456789123",
"userName": "console-user-wgrosmao",
"principalId": "AIDA254BBSGPKOYEB6PTV"
},
"eventSource": "signin.amazonaws.com",
"eventType": "AwsConsoleSignIn",
"eventCategory": "Management",
"awsRegion": "us-east-1",
"eventName": "ConsoleLogin",
"readOnly": false,
"eventTime": "2022-05-30T14:24:34Z",
"managementEvent": true,
"additionalEventData": {
"MFAUsed": "No",
"LoginTo": "https://console.aws.amazon.com/console/home",
"MobileVersion": "No"
},
"responseElements": {
"ConsoleLogin": "Success"
}
}