Detection rules › Panther
Logins Without MFA
A console login was made without multi-factor authentication.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- AWS Console Login (Panther)
- AWS Console Login Failed During MFA Challenge (Splunk)
- AWS ConsoleLogin Failed Authentication (Sigma)
- AWS CreateLoginProfile (Splunk)
- AWS Credential Access Failed Login (Splunk)
- AWS High Number Of Failed Authentications For User (Splunk)
- AWS High Number Of Failed Authentications From Ip (Splunk)
- AWS Multiple Failed MFA Requests For User (Splunk)
Rule body yaml
AnalysisType: rule
Filename: aws_console_login_without_mfa.py
RuleID: "AWS.Console.LoginWithoutMFA"
DisplayName: "Logins Without MFA"
Enabled: true
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Identity & Access Management
- Authentication
- Initial Access:Valid Accounts
Reports:
CIS:
- 3.2
MITRE ATT&CK:
- TA0001:T1078
Stratus Red Team:
- aws.initial-access.console-login-without-mfa
Severity: High
Description: A console login was made without multi-factor authentication.
Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-console-login-without-mfa
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
SummaryAttributes:
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: No MFA Login - IAM User
ExpectedResult: true
Mocks:
- objectName: check_account_age
returnValue: "False"
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "IAMUser",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:user/tester",
"accountId": "123456789012",
"userName": "tester",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters": null,
"responseElements": { "ConsoleLogin": "Success" },
"additionalEventData":
{
"LoginTo": "https://console.aws.amazon.com/console/",
"MobileVersion": "No",
"MFAUsed": "No",
},
"eventID": "1",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "123456789012",
"p_log_type": "AWS.CloudTrail",
}
- Name: No MFA Login - IAM User Unknown Account
ExpectedResult: true
Mocks:
- objectName: check_account_age
returnValue: "False"
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "IAMUser",
"principalId": "1111",
"arn": "arn:aws:iam::123456789013:user/tester",
"accountId": "123456789013",
"userName": "tester",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters": null,
"responseElements": { "ConsoleLogin": "Success" },
"additionalEventData":
{
"LoginTo": "https://console.aws.amazon.com/console/",
"MobileVersion": "No",
"MFAUsed": "No",
},
"eventID": "1",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "123456789013",
"p_log_type": "AWS.CloudTrail",
}
- Name: No MFA Login - Root User
ExpectedResult: true
Mocks:
- objectName: check_account_age
returnValue: "False"
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"accessKeyId": "",
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"principalId": "123456789012",
"type": "Root",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters": null,
"responseElements": { "ConsoleLogin": "Success" },
"additionalEventData":
{
"LoginTo": "https://console.aws.amazon.com/console/",
"MobileVersion": "No",
"MFAUsed": "No",
},
"eventID": "1",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "123456789012",
"p_log_type": "AWS.CloudTrail",
}
- Name: MFA Login - SAML
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: "False"
Log:
{
"additionalEventData":
{
"LoginTo": "https://console.aws.amazon.com/console/home",
"MobileVersion": "No",
"MFAUsed": "No",
"SamlProviderArn": "arn:aws:iam::123456789012:saml-provider/Okta",
},
"eventVersion": "1.05",
"userIdentity":
{
"type": "IAMUser",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:user/tester",
"accountId": "123456789012",
"userName": "tester",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters": null,
"responseElements": { "ConsoleLogin": "Success" },
"eventID": "1",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "123456789012",
"p_log_type": "AWS.CloudTrail",
}
- Name: MFA Login
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: "False"
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "IAMUser",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:user/tester",
"accountId": "123456789012",
"userName": "tester",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters": null,
"responseElements": { "ConsoleLogin": "Success" },
"additionalEventData":
{
"LoginTo": "https://console.aws.amazon.com/console/",
"MobileVersion": "No",
"MFAUsed": "Yes",
},
"eventID": "1",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "123456789012",
"p_log_type": "AWS.CloudTrail",
}
- Name: No MFA - Login Failed
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: "False"
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "IAMUser",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:user/tester",
"accountId": "123456789012",
"userName": "tester",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters": null,
"responseElements": { "ConsoleLogin": "Failure" },
"additionalEventData":
{
"LoginTo": "https://console.aws.amazon.com/console/",
"MobileVersion": "No",
"MFAUsed": "Yes",
},
"eventID": "1",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "123456789012",
"p_log_type": "AWS.CloudTrail",
}
- Name: No MFA - authenticated from session with MFA
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: "False"
Log:
{
"p_event_time": "2019-01-01 00:20:04.000Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"userIdentity":
{
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/testrole_34c15ddd84cb4648/tester@example.com",
"principalId": "AROAXXXXXXXXXXXXXXXXX:tester@example.com",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-09-01T21:20:03Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-east-1/testrole_34c15ddd84cb4648",
"principalId": "AROAXXXXXXXXXXXXXXXXX",
"type": "Role",
"userName": "testrole_34c15ddd84cb4648",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
"p_log_type": "AWS.CloudTrail",
}
- Name: No MFA Login - New User
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: "True"
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "IAMUser",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:user/tester",
"accountId": "123456789012",
"userName": "tester",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters": null,
"responseElements": { "ConsoleLogin": "Success" },
"additionalEventData":
{
"LoginTo": "https://console.aws.amazon.com/console/",
"MobileVersion": "No",
"MFAUsed": "No",
},
"eventID": "1",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "123456789012",
"p_log_type": "AWS.CloudTrail",
}
- Name: AWS SSOv2 Login
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: "False"
Log:
{
"additionalEventData": { "MFAUsed": "No", "MobileVersion": "No" },
"awsRegion": "us-east-2",
"eventID": "1111111111",
"eventName": "ConsoleLogin",
"eventSource": "signin.amazonaws.com",
"eventTime": "2022-03-16 19:17:41",
"eventType": "AwsConsoleSignIn",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "xxx",
"responseElements": { "ConsoleLogin": "Success" },
"sourceIPAddress": "1.2.3.4",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36",
"userIdentity":
{
"accountId": "xxx",
"arn": "arn:aws:sts::xxx:assumed-role/AWSReservedSSO_developer_admin_asdf/foo@bar.com",
"principalId": "xxx:foo@bar.com",
"sessionContext":
{
"attributes":
{
"creationDate": "2022-03-16T19:17:41Z",
"mfaAuthenticated": "false",
},
"sessionIssuer":
{
"accountId": "xxx",
"arn": "arn:aws:iam::xxx:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_developer_admin_asdf",
"principalId": "xxx",
"type": "Role",
"userName": "AWSReservedSSO_developer_admin_asdf",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
"p_log_type": "AWS.CloudTrail",
}
- Name: AssumeRole from MFA User Session
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: "False"
Log:
{
"additionalEventData": { "MFAUsed": "No", "MobileVersion": "No" },
"awsRegion": "us-east-1",
"eventID": "sdsdsdsd",
"eventName": "ConsoleLogin",
"eventSource": "signin.amazonaws.com",
"eventTime": "2022-03-29 17:16:36.000000000",
"eventType": "AwsConsoleSignIn",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "111111111111111",
"responseElements": { "ConsoleLogin": "Success" },
"sourceIPAddress": "1.1.1.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36",
"userIdentity":
{
"accountId": "11111",
"sessionContext":
{
"attributes":
{
"creationDate": "2022-03-29T17:16:35Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{ "accountId": "2222", "type": "Role", "userName": "asdsda" },
"webIdFederationData": {},
},
"type": "AssumedRole",
},
"p_log_type": "AWS.CloudTrail",
}
- Name: No MFA - IAM Role and External IDP
ExpectedResult: false
Mocks:
- objectName: ROLES_VIA_EXTERNAL_IDP
returnValue: True
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/SomeRole/1641313043312360000",
"principalId": "AROAXXXXXXXXXXXXXXXXX:1641313043312360000",
"sessionContext":
{
"attributes":
{
"creationDate": "2022-01-04T16:17:27Z",
"mfaAuthenticated": "false",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/SomeRole",
"principalId": "AROAXXXXXXXXXXXXXXXXX",
"type": "Role",
"userName": "SomeRole",
},
},
"type": "AssumedRole",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters": null,
"responseElements": { "ConsoleLogin": "Success" },
"additionalEventData":
{
"LoginTo": "https://console.aws.amazon.com/console/",
"MobileVersion": "No",
"MFAUsed": "No",
},
"eventID": "1",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "123456789013",
"p_row_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"p_log_type": "AWS.CloudTrail",
}
Detection logic
Condition
eventName eq "ConsoleLogin"
userIdentity.type not eq "AssumedRole"
not (userIdentity.arn contains "AWSReservedSSO" or additionalEventData.SamlProviderArn is_not_null)
responseElements.ConsoleLogin eq "Success"
additionalEventData.MFAUsed ne "Yes"
userIdentity.sessionContext.attributes.mfaAuthenticated ne "true"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
additionalEventData.SamlProviderArn | is_not_null | |
userIdentity.arn | contains | AWSReservedSSO |
userIdentity.type | eq | AssumedRole |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
additionalEventData.MFAUsed | ne |
|
eventName | eq |
|
responseElements.ConsoleLogin | eq |
|
userIdentity.sessionContext.attributes.mfaAuthenticated | ne |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |