AWS Suspect Console Pivot
Detection overview
Triggers
- An account enumerates users or obtains details on their own account, after which they request a token for console login and use that token to login to the console.
Possible Root Causes
- An attacker is pivoting from the AWS API to the AWS management console to continue their attack progression.
- An administrator has started to use the AWS management console in an unusual way.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Review whether this account should have access to the console for their normal duties.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Console Pivot
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Console Pivot
Example scenarios
AWS Suspect Console Pivot
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Console Pivot
Steps to investigate
AWS Suspect Console Pivot
MITRE ATT&CK techniques covered
AWS Suspect Console Pivot
Related detections
No items found.