Initial access:
This basically means how an attacker gets into your environment.
its the first step where an attacker tries to gain entry into a system, network, or cloud environment.
Imagine you are part of a company's SOC team. One morning, you receive an alert from AWS GuardDuty. It says:
"UnauthorizedAccess:IAMUser/ BruteForce"
Attack:
This means someone, or a hacker, is sitting somewhere outside your company maybe in another country. They don't know accounts password or secret keys, but they're trying to get into the AWS console.
So they try multiple login attempts using guessed passwords or leaked credentials.
Or user tries to authenticate and fails, they might have forgotten their password.
Multiple password failures could lead to this finding in GuardDuty.
Defense:
Check the logs and find out the remote IP address.
check with the user whether these are legit failures or not
If these are not genuine failures reset the credentials..
check whether all mfa controls are in place for the user
Need to block the remote IP address on the AWS NACL if it is malicious.
Kindly check with the team managing AWS and ask for confirmation whether the user has privileges to access the resource or console, and if it is benign activity.
monitor the user account vigilantly
Note:
if the failures are from any generic or service account the failures can be because of scripts.
this has to be checked by aws team to find out the RCA of these failures
Guard duty identified below some of the findings. These are access-related and hence classified as an initial access technique.
Like wise other findings mentioned below:
UnauthorizedAccess:EC2/SSHBruteForce
If the attacker performed Brute-force attempt to gain access EC2 instances over SSH( port 22) then guard duty detects this finding.
UnauthorizedAccess:EC2/RDPBruteForce
If the attecker performed Brute-force attempt to RDP (for Windows EC2 instances) then guard duty detects this finding.
UnauthorizedAccess:IAMUser/BruteForce
If a large number of failed attempts to access resources from an IAM user account occur, then GuardDuty detects this finding as a brute-force attack on IAM user credentials.
UnauthorizedAccess:IAMUser/TorIPCaller
if the Access has been made using a source IP which is TOR exit node IP (suspicious access origin)
then guard duty detects this finding.
UnauthorizedAccess:IAMUser/ConsoleLogin
If the Console login attempt from IAM user account from the suspicious source IP having scanning, spam, malware categorizations or unusual geo, TOR.
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
Generally When an EC2 instance has a role, AWS assigns temporary credentials via the Instance Metadata Service (IMDS). These credentials should be used only by that EC2 instance, inside AWS.
But let's say an attacker who has gained access can query the metadata, obtain temporary credentials, and send this metadata externally from their laptop and copy the credentials to his own laptop.
If this is identified by the guard duty, it will be detected as a finding.
One of the Payload explanation:
{
"schemaVersion": "2.0", "accountId": "123456789012", "region": "us-east-1", "partition": "aws",
"id": "abcd1234-5678-efgh-ijkl-9012mnopqrst", "arn": "arn:aws:guardduty:us-east-1:123456789012:detector/abc123/finding/abcd1234", "type": "UnauthorizedAccess:IAMUser/BruteForce", "resource": { "resourceType": "AccessKey", "accessKeyDetails": { "accessKeyId": "AKIAEXAMPLEKEY", "principalId": "AIDEXAMPLEUSER", "userType": "IAMUser", "userName": "suspicious-user" } },
"service": { "serviceName": "guardduty", "action": { "actionType": "AWS_API_CALL", "awsApiCallAction": { "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": { "ipAddressV4": "198.51.100.45", "organization": { "asn": "13335", "isp": "ExampleISP", "org": "ExampleOrg" }, "country": { "countryName": "Unknown" } }, "userAgent": "signin.amazonaws.com" } }, "detectorId": "abc123", "eventFirstSeen": "2025-06-02T12:40:00Z", "eventLastSeen": "2025-06-02T12:45:33Z", "count": 42 },
"severity": 7.0, "title": "Brute Force Attempt Using IAM User Credentials", "description": "Multiple failed sign-in attempts detected for IAM user suspicious-user from IP 198.51.100.45", "createdAt": "2025-06-02T12:45:40Z", "updatedAt": "2025-06-02T12:46:00Z"
}
Fields of AWS GuardDuty will be the same.
Finding ID you can find it out on Guardduty console)
ID: arn:aws:guardduty:us-east-1:123456789012:detector/abc123/finding/abcd1234
Payload explanation:
Here, brute-force attempts, i.e., a large number of failures from an IAM user (Principal ID), detected by GuardDuty are created as findings with severity 7.
these attempts are signins for aws console coming from remote IP 198.51.100.45 and firstly seen from
2025-06-02T12:40:00Z till 2025-06-02T12:45:33Z
Account ID : The resources could be located in that account, which has an ID.
Remote IP analysis:(How to perform) : Reference
These attempts are signins for aws console from the user
Validate the same principal ID in AWS CloudTrail logs for more information on error codes and the reason for failure.
Kindly follow the defense to mitigate these failures, as mentioned in the defense section.
