aws-cis-benchmark-login-no-mfa Configuration

« aws-cis-benchmark-login-no-mfa »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1552MITRE:T1078confidence:3

Detect login without MFA to the AWS console

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-login-no-mfa

Description

Detects login without MFA to the AWS console (Section 3.2 of CIS AWS Foundation Benchmark 1.2.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-login-no-mfa
3description: "Detect login without MFA to the AWS console"
4filter: |
5  evt.Meta.log_type == 'aws-cloudtrail' &&
6  evt.Meta.event_name == "ConsoleLogin" &&
7  evt.Unmarshaled.cloudtrail.additionalEventData.MFAUsed != "Yes" &&
8  evt.Unmarshaled.cloudtrail.userIdentity.type == "IAMUser" &&
9  evt.Unmarshaled.cloudtrail.responseElements.ConsoleLogin == "Success"
10labels:
11  confidence: 3
12  spoofable: 0
13  classification:
14    - attack.T1552
15    - attack.T1078.004
16  label: "AWS Credential misuse"
17  behavior: "cloud:unusual-activity"
18  service: aws
19  cti: false
20  remediation: false
21

Hub configuration

« aws-cis-benchmark-login-no-mfa »v0.3 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1552MITRE:T1078confidence:3

« aws-cis-benchmark-login-no-mfa »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1552MITRE:T1078confidence:3