Skip to content

Commit

Permalink
[New Hunt] Adding Hunting Query for `AWS IAM Unusual AWS Access Key U…
Browse files Browse the repository at this point in the history 
…sage for User` (#4280)

* new hunt 'AWS IAM Unusual AWS Access Key Usage for User'

* updated version

* updating markdown

* bumping version

---------

Co-authored-by: shashank-elastic <[email protected]>

(cherry picked from commit 28ffebb)
  • Loading branch information
@terrancedejesus @github-actions
terrancedejesus authored and github-actions[bot] committed Dec 12, 2024
1 parent 88e871a commit b326cec
Show file tree
Hide file tree
Showing 5 changed files with 123 additions and 3 deletions.
63 changes: 63 additions & 0 deletions hunting/aws/docs/iam_unusual_access_key_usage_for_user.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# AWS IAM Unusual AWS Access Key Usage for User

---

## Metadata

- **Author:** Elastic
- **Description:** This hunting query gathers data from AWS CloudTrail logs to identify unusual AWS access key usage for a user. By detecting instances where an access key is used infrequently for a specific AWS event, this query helps identify potential misuse or abuse of AWS access keys. Adversaries may use access keys to gain unauthorized access to AWS resources, exfiltrate data, or perform other malicious activities within the environment.

- **UUID:** `18ce3dbc-b1b3-11ef-9e63-f661ea17fbce`
- **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail)
- **Language:** `[ES|QL]`
- **Source File:** [AWS IAM Unusual AWS Access Key Usage for User](../queries/iam_unusual_access_key_usage_for_user.toml)

## Query

```sql
FROM logs-aws.cloudtrail*
// Limit the search to the last 14 days
| WHERE @timestamp > now() - 14 day
| WHERE
// Filter for successful AWS CloudTrail events
event.dataset == "aws.cloudtrail"
and event.outcome == "success"

// Filter for AWS CloudTrail events with user identity and access key information
and aws.cloudtrail.user_identity.access_key_id IS NOT NULL
and aws.cloudtrail.resources.arn IS NOT NULL

// Ignore GetObject events
and event.action NOT IN ("GetObject")

// Filter out known service roles; expand this as needed
and NOT aws.cloudtrail.user_identity.arn LIKE "*AWSServiceRoleForConfig*"
and NOT aws.cloudtrail.user_identity.arn LIKE "*Elastic-Cloud-Security-Posture*"
and NOT aws.cloudtrail.user_identity.arn LIKE "*AmazonSSMRoleForInstancesQuickSetup*"

| STATS
// Count the number of events for each daily bucket, user identity, access key, resource, and action
api_counts = count(*) by aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action

// Filter for access keys with less than 2 API calls per day
| WHERE api_counts < 2
| SORT api_counts ASC
```

## Notes

- Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify the user and access key involved in the unusual access key usage.
- Review the infrequente AWS events (`event.action`), associated with the access key to determine the potential impact of the unusual access key usage.
- Within AWS, determine is the access key is temporary or permanent and if it is associated with a specific user or role.
- If the access key is associated with a specific role, review the permissions and policies associated with the role to determine the potential impact of the unusual access key usage.
- If the access key is associated with an assumed role, review the resources assigned to the role. Consider pivoting on EC2 or Lambda-based roles if identified and examine session metadata within the last 24-hours.
- Consider reviewing the `source.address` field to identify the IP address of the actor responsible for the unusual access key usage.
- If the access key is perminant and tied to a user or role, consider rotating the access key to prevent further unauthorized access.

## MITRE ATT&CK Techniques

- [T1078.004](https://attack.mitre.org/techniques/T1078/004)

## License

- `Elastic License v2`
51 changes: 51 additions & 0 deletions hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
[hunt]
author = "Elastic"
description = """
This hunting query gathers data from AWS CloudTrail logs to identify unusual AWS access key usage for a user. By detecting instances where an access key is used infrequently for a specific AWS event, this query helps identify potential misuse or abuse of AWS access keys. Adversaries may use access keys to gain unauthorized access to AWS resources, exfiltrate data, or perform other malicious activities within the environment.
"""
integration = ["aws.cloudtrail"]
uuid = "18ce3dbc-b1b3-11ef-9e63-f661ea17fbce"
name = "AWS IAM Unusual AWS Access Key Usage for User"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
"Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify the user and access key involved in the unusual access key usage.",
"Review the infrequente AWS events (`event.action`), associated with the access key to determine the potential impact of the unusual access key usage.",
"Within AWS, determine is the access key is temporary or permanent and if it is associated with a specific user or role.",
"If the access key is associated with a specific role, review the permissions and policies associated with the role to determine the potential impact of the unusual access key usage.",
"If the access key is associated with an assumed role, review the resources assigned to the role. Consider pivoting on EC2 or Lambda-based roles if identified and examine session metadata within the last 24-hours.",
"Consider reviewing the `source.address` field to identify the IP address of the actor responsible for the unusual access key usage.",
"If the access key is perminant and tied to a user or role, consider rotating the access key to prevent further unauthorized access."
]
mitre = ['T1078.004']
query = [
'''
FROM logs-aws.cloudtrail*
// Limit the search to the last 14 days
| WHERE @timestamp > now() - 14 day
| WHERE
// Filter for successful AWS CloudTrail events
event.dataset == "aws.cloudtrail"
and event.outcome == "success"
// Filter for AWS CloudTrail events with user identity and access key information
and aws.cloudtrail.user_identity.access_key_id IS NOT NULL
and aws.cloudtrail.resources.arn IS NOT NULL
// Ignore GetObject events
and event.action NOT IN ("GetObject")
// Filter out known service roles; expand this as needed
and NOT aws.cloudtrail.user_identity.arn LIKE "*AWSServiceRoleForConfig*"
and NOT aws.cloudtrail.user_identity.arn LIKE "*Elastic-Cloud-Security-Posture*"
and NOT aws.cloudtrail.user_identity.arn LIKE "*AmazonSSMRoleForInstancesQuickSetup*"
| STATS
// Count the number of events for each daily bucket, user identity, access key, resource, and action
api_counts = count(*) by aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action
// Filter for access keys with less than 2 API calls per day
| WHERE api_counts < 2
| SORT api_counts ASC
'''
]
3 changes: 2 additions & 1 deletion hunting/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ Here are the queries currently available:


## aws
- [AWS IAM Customer-Managed Policy Attachment for Privilege Escalation](./aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md) (ES|QL)
- [AWS IAM Customer-Managed Policy Attachment to Existing Roles](./aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md) (ES|QL)
- [AWS IAM Unusual AWS Access Key Usage for User](./aws/docs/iam_unusual_access_key_usage_for_user.md) (ES|QL)
- [EC2 Modify Instance Attribute User Data](./aws/docs/ec2_modify_instance_attribute_user_data.md) (ES|QL)
- [EC2 Suspicious Get User Password Request](./aws/docs/ec2_suspicious_get_user_password_request.md) (ES|QL)
- [High EC2 Instance Deployment Count Attempts by Single User or Role](./aws/docs/ec2_high_instance_deployment_count_attempts.md) (ES|QL)
Expand Down
7 changes: 6 additions & 1 deletion hunting/index.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -365,10 +365,15 @@ aws:
mitre:
- T1550.001
418baaf2-9ae1-11ef-be63-f661ea17fbcd:
name: AWS IAM Customer-Managed Policy Attachment for Privilege Escalation
name: AWS IAM Customer-Managed Policy Attachment to Existing Roles
path: ./aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml
mitre:
- T1548.005
18ce3dbc-b1b3-11ef-9e63-f661ea17fbce:
name: AWS IAM Unusual AWS Access Key Usage for User
path: ./aws/queries/iam_unusual_access_key_usage_for_user.toml
mitre:
- T1078.004
windows:
44e6adc6-e183-4bfa-b06d-db41669641fa:
name: Rundll32 Execution Aggregated by Command Line
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "0.3.4"
version = "0.3.5"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
Expand Down

0 comments on commit b326cec

Please sign in to comment.