aws-bf Configuration

Installation

cscli scenarios install crowdsecurity/aws-bf

Description

This scenario needs the crowdsecurity/aws-cloudtrail parser and detects bruteforce of the aws console

Following the https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html take an extra care of your cloudtrail region configuration when dealing with console signing event capture and please keep in mind that event successful and failed login attempts might not be sent in the same cloudtrail region.

Please keep in mind that only console signing regardind existing users are captured in cloudtrail. This makes this scenario useful for existing users and the root user.

YAML Configuration

1type: leaky
2capacity: 5
3leakspeed: 30s
4name: crowdsecurity/aws-cloudtrail-bf-console-login
5description: "Detect console login bruteforce"
6filter: |
7    evt.Meta.log_type == 'aws-cloudtrail' && (
8      (evt.Meta.event_name == 'ConsoleLogin' && evt.Unmarshaled.cloudtrail.responseElements.ConsoleLogin == 'Failure') || 
9      (evt.Meta.event_name == 'GetSessionToken' && evt.Meta.error_code=='AccessDenied') || 
10      (evt.Meta.event_name == 'GetFederationToken' && evt.Meta.error_code=='AccessDenied')
11    )
12groupby: evt.Meta.source_ip
13blackhole: 1m
14reprocess: true
15scope:
16  type: Ip
17labels:
18  confidence: 3
19  spoofable: 0
20  classification:
21   - attack.T1110
22  behavior: "cloud:bruteforce"
23  label: "AWS bruteforce"
24  service: aws
25  remediation: false
26

Hub configuration

« aws-bf »
v0.4 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1110confidence:3

Hub configuration

« aws-bf »v0.4 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1110confidence:3

« aws-bf »
v0.4 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1110confidence:3