Rules Contributing to Suspicious AWS Root Account Activity Alert

The following rules are used to identify suspicious activity with AWS Root Account. Any one or more of these will trigger the Suspicious AWS Root Account Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS Root Credentials

Detects AWS root account usage

Rule ID

aws_12

Query

{'selection1': {'eventSource': 'signin.amazonaws.com'}, 'selection_usertype': {'userIdentity_type': 'Root'}, 'selection_eventtype': {'eventType': 'AwsServiceEvent'}, 'condition': 'selection1 and selection_usertype and not selection_eventtype'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,8ad1600d-e9dc-4251-b0ee-a65268f29add

Author: vitaliy0x1

Tactics, Techniques, and Procedures

TA0003, T1078.004

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2020/01/21 medium

  • AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html

AWS Management Console Root Login

Identifies a successful login to the AWS Management Console by the Root user.

Rule ID

aws_31

Query

{'selection1': {'eventSource': 'signin.amazonaws.com'}, 'selection2': {'eventName': 'ConsoleLogin'}, 'selection3': {'userIdentity_type': 'Root'}, 'condition': 'selection1 and selection2 and selection3'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0001, TA0003, T1078, T1078

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/06/11 medium

  • It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule.

Root access key created

An access key was created for the root account.

Rule ID

aws_109

Query

{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'userIdentity_type': 'Root'}, 'selection3': {'eventName': 'CreateAccessKey'}, 'condition': 'selection1 and selection2 and selection3'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1078

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/01/05 medium N/A