Detection rules › Panther
AWS User Takeover Via Password Reset
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1098.001 Account Manipulation: Additional Cloud Credentials |
Rule body yaml
AnalysisType: correlation_rule
RuleID: "AWS.User.Takeover.Via.Password.Reset"
DisplayName: "AWS User Takeover Via Password Reset"
Enabled: true
Severity: High
Reports:
MITRE ATT&CK:
- TA0004:T1098.001 # Additional Cloud Credentials
Detection:
- Sequence:
- ID: Password Reset
RuleID: AWS.CloudTrail.LoginProfileCreatedOrModified
- ID: Login
RuleID: AWS.Console.Login
Transitions:
- ID: Password Reset TO Login ON IP Addr
From: Password Reset
To: Login
WithinTimeFrameMinutes: 60
Match:
- On: p_alert_context.ip_and_username
Schedule:
RateMinutes: 1440
TimeoutMinutes: 10
LookbackWindowMinutes: 2160
Tests:
- Name: Password Reset, Then Login From Same IP
ExpectedResult: true
RuleOutputs:
- ID: Password Reset
Matches:
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
- ID: Login
Matches:
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:02:01Z"
- Name: Password Reset, Then Login From different user
ExpectedResult: false
RuleOutputs:
- ID: Password Reset
Matches:
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
- ID: Login
Matches:
p_alert_context.ip_and_username:
"1.1.1.1bob":
- "2024-06-01T10:02:01Z"
- Name: Password Reset, Then Login From Different IPs
ExpectedResult: false
RuleOutputs:
- ID: Password Reset
Matches:
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
- ID: Login
Matches:
p_alert_context.ip_and_username:
"2.2.2.2alice":
- "2024-06-01T10:02:01Z"
- Name: Password Reset Without Login
ExpectedResult: false
RuleOutputs:
- ID: Password Reset
Matches:
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
- Name: Login Without Password Reset
ExpectedResult: false
RuleOutputs:
- ID: Login
Matches:
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
Detection logic
Stage 1: step Password Reset ordered before $Login
References detection AWS.CloudTrail.LoginProfileCreatedOrModified.
Stage 2: step Login ordered after $Password Reset
References detection AWS.Console.Login.