IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« AWS IAM Group Deletion AWS IAM User Addition to Group »

› › ›

AWS IAM Password Recovery Requested

edit

AWS IAM Password Recovery Requested

edit

Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.

Rule type: query

Rule indices:

filebeat-*
logs-aws*

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Initial Access

Version: 105

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit

event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

« AWS IAM Group Deletion AWS IAM User Addition to Group »