Detection coverage in DCV across AWS, Azure and GCP for Brute Force, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.
If an adversary guesses the correct password but fails to login to a compromised account due to location-based conditional access policies, they may change their infrastructure until they match the victim’s location and therefore bypass those policies.
Platforms: Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows.
DCV maps 42 detections across 3 cloud providers to T1110. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Security Hub | AWS | 10 | 0.85 |
| AWS GuardDuty | AWS | 8 | 0.89 |
| AWS Config Rules | AWS | 5 | 0.80 |
| GCP Security Command Center | GCP | 5 | 0.84 |
| Microsoft Defender for Cloud | Azure | 5 | 0.88 |
| Azure Policy | Azure | 4 | 0.82 |
| Azure Regulatory Compliance | Azure | 4 | 0.90 |
| GCP Chronicle | GCP | 1 | 0.95 |
CloudSigma ships 3 production-ready Sigma rules that detect T1110 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.
title: AWS Console Login Failure Indicating Brute Force Attempt
id: 76cb295c-50c8-45ca-88e2-df25f0613bde
status: experimental
description: >
Detects failed console login attempts to AWS that may indicate brute force
attacks against user accounts. Repeated authentication failures from the same
source may suggest credential guessing or stuffing attempts.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1110/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
tags:
- attack.credential-access
- attack.t1110
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: signin.amazonaws.com
eventName: ConsoleLogin
responseElements.ConsoleLogin: Failure
condition: selection
falsepositives:
- Legitimate users mistyping their passwords or forgetting credentials
- Automated testing of authentication mechanisms
level: medium