From d37562f536cf7813d7a20d3ea2ddedbc9bbfcb68 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 3 Dec 2024 12:26:49 -0800 Subject: [PATCH 1/4] new hunt 'AWS IAM Unusual AWS Access Key Usage for User' --- .../iam_unusual_access_key_usage_for_user.md | 60 +++++++++++++++++++ ...iam_unusual_access_key_usage_for_user.toml | 51 ++++++++++++++++ hunting/index.md | 3 +- hunting/index.yml | 7 ++- 4 files changed, 119 insertions(+), 2 deletions(-) create mode 100644 hunting/aws/docs/iam_unusual_access_key_usage_for_user.md create mode 100644 hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml diff --git a/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md b/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md new file mode 100644 index 00000000000..4fd05312191 --- /dev/null +++ b/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md @@ -0,0 +1,60 @@ +# AWS IAM Unusual AWS Access Key Usage for User + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunting query gathers data from AWS CloudTrail logs to identify unusual AWS access key usage for a user. By detecting instances where an access key is used infrequently for a specific AWS event, this query helps identify potential misuse or abuse of AWS access keys. Adversaries may use access keys to gain unauthorized access to AWS resources, exfiltrate data, or perform other malicious activities within the environment. + +- **UUID:** `18ce3dbc-b1b3-11ef-9e63-f661ea17fbce` +- **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail) +- **Language:** `[ES|QL]` +- **Source File:** [AWS IAM Unusual AWS Access Key Usage for User](../queries/iam_unusual_access_key_usage_for_user.toml) + +## Query + +```sql +FROM logs-aws.cloudtrail* +// Limit the search to the last 14 days +| WHERE @timestamp > now() - 14 day +| WHERE + // Filter for successful AWS CloudTrail events + event.dataset == "aws.cloudtrail" + and event.outcome == "success" + + // Filter for AWS CloudTrail events with user identity and access key information + and aws.cloudtrail.user_identity.access_key_id IS NOT NULL + and aws.cloudtrail.resources.arn IS NOT NULL + + // Ignore GetObject events + and event.action NOT IN ("GetObject") + +// Create a daily bucket for the events +| EVAL daily_buckets = DATE_TRUNC(1 days, @timestamp) +| STATS + // Count the number of events for each daily bucket, user identity, access key, resource, and action + api_counts = count(*) by daily_buckets, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, aws.cloudtrail.resources.arn, event.action + +// Filter for access keys with less than 2 API calls per day +| WHERE api_counts < 2 +| SORT api_counts ASC +``` + +## Notes + +- Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify the user and access key involved in the unusual access key usage. +- Review the infrequente AWS events (`event.action`), associated with the access key to determine the potential impact of the unusual access key usage. +- Within AWS, determine is the access key is temporary or permanent and if it is associated with a specific user or role. +- If the access key is associated with a specific role, review the permissions and policies associated with the role to determine the potential impact of the unusual access key usage. +- If the access key is associated with an assumed role, review the resources assigned to the role. Consider pivoting on EC2 or Lambda-based roles if identified and examine session metadata within the last 24-hours. +- Consider reviewing the `source.address` field to identify the IP address of the actor responsible for the unusual access key usage. +- If the access key is perminant and tied to a user or role, consider rotating the access key to prevent further unauthorized access. + +## MITRE ATT&CK Techniques + +- [T1078.004](https://attack.mitre.org/techniques/T1078/004) + +## License + +- `Elastic License v2` diff --git a/hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml b/hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml new file mode 100644 index 00000000000..5703503161b --- /dev/null +++ b/hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml @@ -0,0 +1,51 @@ +[hunt] +author = "Elastic" +description = """ +This hunting query gathers data from AWS CloudTrail logs to identify unusual AWS access key usage for a user. By detecting instances where an access key is used infrequently for a specific AWS event, this query helps identify potential misuse or abuse of AWS access keys. Adversaries may use access keys to gain unauthorized access to AWS resources, exfiltrate data, or perform other malicious activities within the environment. +""" +integration = ["aws.cloudtrail"] +uuid = "18ce3dbc-b1b3-11ef-9e63-f661ea17fbce" +name = "AWS IAM Unusual AWS Access Key Usage for User" +language = ["ES|QL"] +license = "Elastic License v2" +notes = [ +"Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify the user and access key involved in the unusual access key usage.", +"Review the infrequente AWS events (`event.action`), associated with the access key to determine the potential impact of the unusual access key usage.", +"Within AWS, determine is the access key is temporary or permanent and if it is associated with a specific user or role.", +"If the access key is associated with a specific role, review the permissions and policies associated with the role to determine the potential impact of the unusual access key usage.", +"If the access key is associated with an assumed role, review the resources assigned to the role. Consider pivoting on EC2 or Lambda-based roles if identified and examine session metadata within the last 24-hours.", +"Consider reviewing the `source.address` field to identify the IP address of the actor responsible for the unusual access key usage.", +"If the access key is perminant and tied to a user or role, consider rotating the access key to prevent further unauthorized access." +] +mitre = ['T1078.004'] +query = [ +''' +FROM logs-aws.cloudtrail* +// Limit the search to the last 14 days +| WHERE @timestamp > now() - 14 day +| WHERE + // Filter for successful AWS CloudTrail events + event.dataset == "aws.cloudtrail" + and event.outcome == "success" + + // Filter for AWS CloudTrail events with user identity and access key information + and aws.cloudtrail.user_identity.access_key_id IS NOT NULL + and aws.cloudtrail.resources.arn IS NOT NULL + + // Ignore GetObject events + and event.action NOT IN ("GetObject") + + // Filter out known service roles; expand this as needed + and NOT aws.cloudtrail.user_identity.arn LIKE "*AWSServiceRoleForConfig*" + and NOT aws.cloudtrail.user_identity.arn LIKE "*Elastic-Cloud-Security-Posture*" + and NOT aws.cloudtrail.user_identity.arn LIKE "*AmazonSSMRoleForInstancesQuickSetup*" + +| STATS + // Count the number of events for each daily bucket, user identity, access key, resource, and action + api_counts = count(*) by aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action + +// Filter for access keys with less than 2 API calls per day +| WHERE api_counts < 2 +| SORT api_counts ASC +''' +] diff --git a/hunting/index.md b/hunting/index.md index a766fca1856..7b014415d8b 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -4,7 +4,8 @@ Here are the queries currently available: ## aws -- [AWS IAM Customer-Managed Policy Attachment for Privilege Escalation](./aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md) (ES|QL) +- [AWS IAM Customer-Managed Policy Attachment to Existing Roles](./aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md) (ES|QL) +- [AWS IAM Unusual AWS Access Key Usage for User](./aws/docs/iam_unusual_access_key_usage_for_user.md) (ES|QL) - [EC2 Modify Instance Attribute User Data](./aws/docs/ec2_modify_instance_attribute_user_data.md) (ES|QL) - [EC2 Suspicious Get User Password Request](./aws/docs/ec2_suspicious_get_user_password_request.md) (ES|QL) - [High EC2 Instance Deployment Count Attempts by Single User or Role](./aws/docs/ec2_high_instance_deployment_count_attempts.md) (ES|QL) diff --git a/hunting/index.yml b/hunting/index.yml index e7b44f52e63..ba1152c6d7e 100644 --- a/hunting/index.yml +++ b/hunting/index.yml @@ -365,10 +365,15 @@ aws: mitre: - T1550.001 418baaf2-9ae1-11ef-be63-f661ea17fbcd: - name: AWS IAM Customer-Managed Policy Attachment for Privilege Escalation + name: AWS IAM Customer-Managed Policy Attachment to Existing Roles path: ./aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml mitre: - T1548.005 + 18ce3dbc-b1b3-11ef-9e63-f661ea17fbce: + name: AWS IAM Unusual AWS Access Key Usage for User + path: ./aws/queries/iam_unusual_access_key_usage_for_user.toml + mitre: + - T1078.004 windows: 44e6adc6-e183-4bfa-b06d-db41669641fa: name: Rundll32 Execution Aggregated by Command Line From 4330cbb9ba8b39436e36c726ef5b0a77f8ac03bd Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 3 Dec 2024 12:33:17 -0800 Subject: [PATCH 2/4] updated version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index ad459c11c78..654cd85ca30 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.3.0" +version = "0.3.1" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" From 7b88b36d294407cc1ea2ab1b0acbbbf3104162a9 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 3 Dec 2024 12:46:20 -0800 Subject: [PATCH 3/4] updating markdown --- .../aws/docs/iam_unusual_access_key_usage_for_user.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md b/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md index 4fd05312191..c500c08566b 100644 --- a/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md +++ b/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md @@ -30,11 +30,14 @@ FROM logs-aws.cloudtrail* // Ignore GetObject events and event.action NOT IN ("GetObject") -// Create a daily bucket for the events -| EVAL daily_buckets = DATE_TRUNC(1 days, @timestamp) + // Filter out known service roles; expand this as needed + and NOT aws.cloudtrail.user_identity.arn LIKE "*AWSServiceRoleForConfig*" + and NOT aws.cloudtrail.user_identity.arn LIKE "*Elastic-Cloud-Security-Posture*" + and NOT aws.cloudtrail.user_identity.arn LIKE "*AmazonSSMRoleForInstancesQuickSetup*" + | STATS // Count the number of events for each daily bucket, user identity, access key, resource, and action - api_counts = count(*) by daily_buckets, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, aws.cloudtrail.resources.arn, event.action + api_counts = count(*) by aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action // Filter for access keys with less than 2 API calls per day | WHERE api_counts < 2 From 768a1f2bcf72ed36faf30c2241399964925ed006 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 10 Dec 2024 16:13:46 -0500 Subject: [PATCH 4/4] bumping version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 654cd85ca30..a31d59a3d32 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.3.1" +version = "0.3.5" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"